Directory traversal in Cisco ASA & Cisco Firepower

Jijith Rajan
Published on
10 Jan 2022


An unauthenticated, remote attacker might use a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software to conduct directory traversal attacks and read sensitive data on a targeted machine. A lack of sufficient input validation of URLs in HTTP requests performed by an affected device is the source of the vulnerability. An attacker could take advantage of this flaw by sending a specially crafted HTTP request to a device that contains directory traversal character sequences. A successful exploit could allow the attacker to view arbitrary files on the affected device’s web services file system. When the afflicted device is setup with WebVPN or AnyConnect functionality, the web services file system is enabled. This vulnerability cannot be used to get access to ASA or FTD system files or the underlying operating system (OS).


  • Update to the latest version
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment