Attacks Target Cisco ASA Flaw From 2014

Cisco is warning that attackers are attempting to exploit a vulnerability in its ASA WebVPN product that was first disclosed in 2014. The flaw is a cross-site scripting vulnerability and Cisco released an update for it in March 2014.

It’s not unusual for attackers to take random potshots at older bugs, especially bugs in high-value targets such as edge security devices. But exploits against a 10-year-old vulnerability are not something you see every day. 

CVEs: CVE-2014-2120

Why It Matters: The vulnerability itself is a relatively mundane XSS in the login page for the WebVPN feature of the ASA box. “A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA. The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link,” the advisory says. Last week, security firm CloudSEK posted an analysis of a botnet called Androxgh0st that has been seen exploiting this vulnerability, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog.

The Big Picture: The initial assessment of the vulnerability gave it a fairly low CVSS 4.3 score, but active exploitation of this flaw means that there are still unpatched boxes online more than 10 years after the vulnerability was disclosed. Any organization that hasn’t updated a vulnerable ASA appliance at this point should make that a priority. An attacker gaining a foothold on a security appliance is not the way you want to start your day. 

“In November 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” the advisory says.