cbcvebase.
CVE-2020-27130
published 2020-11-17

CVE-2020-27130: A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to…

PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
65.91%
99.2th percentile
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_security_manager
ciscosecurity_manager<= 4.21
ciscosecurity_manager_path

Detection & IOCsextracted from sources · hover to see the quote

url/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=
path/athena/
bytes
|2e 2e 2f|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:3; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Monitor HTTP GET requests to the /athena/ path on Cisco Security Manager for embedded ../ traversal sequences (byte pattern |2e 2e 2f|).
  • Cisco Bug ID CSCvu99995 can be used to cross-reference vendor advisories and patch tracking for this specific path traversal issue.
  • ·No workarounds or mitigations exist; the only remediation is upgrading Cisco Security Manager to version 4.22 or later.
  • ·At time of advisory publication, Cisco was not aware of exploitation in the wild, but public PoC code was released by researcher Florian Hauser on November 16.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vendor_cisco9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.