CVE-2022-20713
A vulnerability in the Clientless SSL VPN (WebVPN) component of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks. This vulnerability is due to improper validation of input that is passed to the Clientless SSL VPN component. An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled. A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user.
EPSS 1.72% · 82.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Adaptive Security Appliance (ASA) Software | 9.8.4.7, 9.8.4.10, 9.8.4.12 |
| cisco | adaptive_security_appliance_software | 9.14.4, 9.14.4.6, 9.14.4.7 |
| cisco | firepower_threat_defense | 7.3.1, 6.2.3, 6.2.3.2 |
| Cisco | Cisco Firepower Threat Defense Software | 6.2.3, 6.4.0.15, 6.2.3.15 |
Exploit Intelligence
- cisco-sa-asa-webvpn-LOeKsNmO (circl)
Timeline
- Aug 10, 2022 CVE Published
- Aug 11, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Sep 16, 2024 CVE Updated
- Mar 19, 2025 EPSS Score
- Mar 20, 2025 EPSS Score
- Mar 23, 2025 EPSS Score
- Mar 24, 2025 EPSS Score
- Mar 28, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- May 5, 2025 EPSS Score