Cisco ASA VPN and Cisco FTD - Unauthenticated Arbitrary File Deletion (CVE-2020-3187)

Name: Cisco ASA VPN and Cisco FTD - Unauthenticated Arbitrary File Deletion (CVE-2020-3187)
Published: 2021-09-21T00:00:00.000Z

Severity
CVE: CVE-2020-3187
CVSSv3 Score: 9.1
Exploitable with Sniper: No
Vulnerability description: Cisco ASA VPN and Cisco FTD are affected by an Unauthenticated Arbitrary File Deletion. An unauthenticated user can access the exposed session_password.html endpoint. The root cause of this vulnerability consists in insufficient validation of the HTTP input request.
Risk description: The risk exists that a remote unauthenticated attacker can delete any files, therefore compromising the Cisco server.
Recommendation: Upgrade the Cisco ASA server to a version higher than 9.14 or the FTD Server to a version higher than 6.6.0.
References: https://nvd.nist.gov/vuln/detail/CVE-2020-3187
Detectable with: Network Scanner
Vuln date: Jul 2020
Published at: Sep 2021
Updated at: Sep 2021
Software Type: VPN gateway
Vendor: Cisco
Product: ASA
Codename: Not available