PR
CVE 2024 20353 trex
projectdiscovery/nuclei-templates#13326

/claim #13309

Template / PR Information

Description:-

This PR adds a new Nuclei detection template for the high-severity CVE-2024-20353 vulnerability affecting Cisco ASA and FTD software management and VPN web servers. The vulnerability allows unauthenticated remote attackers to cause device reloads via crafted HTTP headers resulting in denial-of-service.

Proof of Concept (POC) Refer to the included Nuclei template file CVE-2024-20353.yaml for the full POC HTTP requests and detection logic. POC : [https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/]

  • Added CVE-2024-20353
  • References:

Template Validation

Testing and Verification

  • Verified against a fully functional lab environment simulating vulnerable Cisco ASA devices with realistic HTTP/S endpoints and device reboot cycles.
  • Lab environment setup includes Dockerfile, vulnerable Python server, and Nginx configuration to simulate device behavior and crashes.
  • Tested with the following command to produce debug output for triage:

nuclei -t templates/CVE-2024-20353.yaml -target https://localhost:8443 -debug -v

Logs and crash simulations are available in the lab’s log directory for post-test analysis.

nuclei -t templates/CVE-2025-57819.yaml -u https://localhost:8443 -debug -v



                     __     _

   ____  __  _______/ /__  (_)

  / __ \/ / / / ___/ / _ \/ /

 / / / / /_/ / /__/ /  __/ /

/_/ /_/\__,_/\___/_/\___/_/   v3.4.10



                projectdiscovery.io



[VER] Started metrics server at localhost:9092

[INF] Current nuclei version: v3.4.10 (latest)

[INF] Current nuclei-templates version: v10.2.9 (latest)

[WRN] Scan results upload to cloud is disabled.

[INF] New templates added in latest release: 182

[INF] Templates loaded for current scan: 1

[WRN] Loading 1 unsigned templates for scan. Use with caution.

[INF] Targets loaded for current scan: 1

[INF] [cisco-asa-ftd-http-header-vuln] Dumped HTTP request for https://localhost:8443/+CSCOE+/logon.html



GET /+CSCOE+/logon.html HTTP/1.1

Host: localhost:8443

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Connection: close

Accept-Encoding: gzip



[VER] [cisco-asa-ftd-http-header-vuln] Sent HTTP request to https://localhost:8443/+CSCOE+/logon.html

[DBG] [cisco-asa-ftd-http-header-vuln] Dumped HTTP response https://localhost:8443/+CSCOE+/logon.html



HTTP/1.1 200 OK

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

Date: Fri, 19 Sep 2025 14:22:45 GMT

Referrer-Policy: strict-origin-when-cross-origin

Server: Cisco-HTTP/2.0

X-Asa-Version: 9.18.4.50

X-Content-Type-Options: nosniff

X-Frame-Options: DENY

X-Request-Id: 1



<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>SSL VPN Service</title>

    <style>

        body { font-family: Arial, sans-serif; margin: 0; padding: 20px; background: #f5f5f5; }

        .container { max-width: 400px; margin: 50px auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }

        .logo { text-align: center; color: #0066cc; margin-bottom: 20px; }

        .form-group { margin-bottom: 15px; }

        input[type="text"], input[type="password"] { width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px; }

        .login-btn { width: 100%; padding: 12px; background: #0066cc; color: white; border: none; border-radius: 4px; cursor: pointer; }

        .footer { text-align: center; margin-top: 20px; color: #666; font-size: 12px; }

    </style>

</head>

<body>

    <div class="container">

        <div class="logo">

            <h1>🔒 Cisco ASA</h1>

            <h2>SSL VPN Service</h2>

        </div>

        <form action="/+CSCOE+/saml/sp/login" method="post">

            <div class="form-group">

                <input type="text" name="username" placeholder="Username" required>

            </div>

            <div class="form-group">

                <input type="password" name="password" placeholder="Password" required>

            </div>

            <button type="submit" class="login-btn">Login</button>

        </form>

        <div class="footer">

            <p>Cisco Systems, Inc. All rights reserved.</p>

            <p>+CSCOE+ WebVPN Portal | ASDM 7.18.1</p>

            <p><strong>⚠️ Vulnerable to CVE-2024-20353</strong></p>

        </div>

    </div>

</body>

</html>

[cisco-asa-ftd-http-header-vuln:cisco-device] [http] [high] https://localhost:8443/+CSCOE+/logon.html ["Cisco-HTTP/2.0","200"]

[INF] [cisco-asa-ftd-http-header-vuln] Dumped HTTP request for https://localhost:8443/+CSCOE+/logon.html



GET /+CSCOE+/logon.html HTTP/1.1

Host: localhost:8443

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

Connection: close

X-Exploit-Test: crash-this-server

Accept-Encoding: gzip



[VER] [cisco-asa-ftd-http-header-vuln] Sent HTTP request to https://localhost:8443/+CSCOE+/logon.html

[DBG] [cisco-asa-ftd-http-header-vuln] Dumped HTTP response https://localhost:8443/+CSCOE+/logon.html



HTTP/1.1 502 Bad Gateway

Connection: close

Content-Length: 208

Content-Type: text/html

Date: Fri, 19 Sep 2025 14:22:46 GMT

Server: Cisco-HTTP/2.0



<html><body><h1>🔄 Cisco ASA Device Reloading...</h1><p>The device is recovering from an unexpected reload.</p><p style="color:red;"><strong>CVE-2024-20353 may have been triggered</strong></p></body></html>

[cisco-asa-ftd-http-header-vuln:cisco-device] [http] [high] https://localhost:8443/+CSCOE+/logon.html ["Cisco-HTTP/2.0","200","502"]

[INF] [cisco-asa-ftd-http-header-vuln] Dumped HTTP request for https://localhost:8443/+CSCOE+/logon.html



GET /+CSCOE+/logon.html HTTP/1.1

Host: localhost:8443

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

Connection: close

Accept-Encoding: gzip



[VER] [cisco-asa-ftd-http-header-vuln] Sent HTTP request to https://localhost:8443/+CSCOE+/logon.html

[DBG] [cisco-asa-ftd-http-header-vuln] Dumped HTTP response https://localhost:8443/+CSCOE+/logon.html



HTTP/1.1 200 OK

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

Date: Fri, 19 Sep 2025 14:22:46 GMT

Referrer-Policy: strict-origin-when-cross-origin

Server: Cisco-HTTP/2.0

X-Asa-Version: 9.18.4.50

X-Content-Type-Options: nosniff

X-Frame-Options: DENY

X-Request-Id: 3



<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>SSL VPN Service</title>

    <style>

        body { font-family: Arial, sans-serif; margin: 0; padding: 20px; background: #f5f5f5; }

        .container { max-width: 400px; margin: 50px auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }

        .logo { text-align: center; color: #0066cc; margin-bottom: 20px; }

        .form-group { margin-bottom: 15px; }

        input[type="text"], input[type="password"] { width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px; }

        .login-btn { width: 100%; padding: 12px; background: #0066cc; color: white; border: none; border-radius: 4px; cursor: pointer; }

        .footer { text-align: center; margin-top: 20px; color: #666; font-size: 12px; }

    </style>

</head>

<body>

    <div class="container">

        <div class="logo">

            <h1>🔒 Cisco ASA</h1>

            <h2>SSL VPN Service</h2>

        </div>

        <form action="/+CSCOE+/saml/sp/login" method="post">

            <div class="form-group">

                <input type="text" name="username" placeholder="Username" required>

            </div>

            <div class="form-group">

                <input type="password" name="password" placeholder="Password" required>

            </div>

            <button type="submit" class="login-btn">Login</button>

        </form>

        <div class="footer">

            <p>Cisco Systems, Inc. All rights reserved.</p>

            <p>+CSCOE+ WebVPN Portal | ASDM 7.18.1</p>

            <p><strong>⚠️ Vulnerable to CVE-2024-20353</strong></p>

        </div>

    </div>

</body>

</html>

[cisco-asa-ftd-http-header-vuln:cisco-device] [http] [high] https://localhost:8443/+CSCOE+/logon.html ["Cisco-HTTP/2.0","200","502"]

[INF] Scan completed in 545.654625ms. 3 matches found.

Contribution Checklist

  • Complete POC included in the template.
  • Detection does not rely solely on version-based checks; it uses behavioral response analysis.
  • Debug data instructions provided to aid triage.
  • Vulnerable environment setup provided (Dockerfile, server scripts, Nginx config).

I’ve validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

Claim

Total prize pool $100
Total paid $0
Status Pending
Submitted September 19, 2025
Last updated September 19, 2025

Contributors

TR

Trex

@Trex96

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$100