CVE-2020-27130
published 2020-11-17CVE-2020-27130: A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to…
PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
65.91%
99.2th percentile
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_security_manager | — | — |
| cisco | security_manager | <= 4.21 | — |
| cisco | security_manager_path | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=
path/athena/
bytes
|2e 2e 2f|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:3; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Monitor HTTP GET requests to the /athena/ path on Cisco Security Manager for embedded ../ traversal sequences (byte pattern |2e 2e 2f|).
- →Cisco Bug ID CSCvu99995 can be used to cross-reference vendor advisories and patch tracking for this specific path traversal issue. ↗
- ·No workarounds or mitigations exist; the only remediation is upgrading Cisco Security Manager to version 4.22 or later. ↗
- ·At time of advisory publication, Cisco was not aware of exploitation in the wild, but public PoC code was released by researcher Florian Hauser on November 16. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vendor_cisco9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Security Manager Path Traversal Vulnerability
vendor_cisco·2020-11-16·CVSS 9.1
CVE-2020-27130 [CRITICAL] CWE-35 Cisco Security Manager Path Traversal Vulnerability
Cisco Security Manager Path Traversal Vulnerability
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to and modify sensitive information on the affected device.
The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to read or write arbitrary files on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvis
Cisco
Cisco Security Manager Path Traversal Vulnerability
vendor_cisco·CVSS 3.1
CVE-2020-27130 Cisco Security Manager Path Traversal Vulnerability
CVE-2020-27130: Cisco Security Manager Path Traversal Vulnerability
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to and modify sensitive information on the affected device. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to read or write arbitrary files on the affected device. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.1
CWE: CWE-35, CWE-35
Bug IDs: CSCvu99995
GHSA
GHSA-5f89-cfxh-c74m: A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information
ghsa_unreviewed·2022-05-24
CVE-2020-27130 [CRITICAL] GHSA-5f89-cfxh-c74m: A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.
Suricata
ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)
suricata·2022-02-04·CVSS 9.1
CVE-2020-27130 [CRITICAL] ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)
ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:3; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_
Suricata
ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)
suricata·2022-02-04·CVSS 9.1
CVE-2020-27130 [CRITICAL] ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)
ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
No public exploits indexed.
Tenable
CVE-2020-27125, CVE-2020-27130, CVE-2020-27131: Pre-Authentication Vulnerabilities in Cisco Security Manager Disclosed
blogs_tenable·2020-11-17·CVSS 7.4
[HIGH] CVE-2020-27125, CVE-2020-27130, CVE-2020-27131: Pre-Authentication Vulnerabilities in Cisco Security Manager Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2020-11-17
Published