Decade-old vulnerability in Cisco ASA WebVPN recently exploited

Cisco has updated an advisory to warn its customers that a decade-old vulnerability in its Adaptive Security Appliance (ASA) is being exploited by threat actors.

The vulnerability, designated CVE-2014-2120, is due to the insufficient validation of input to ASA’s WebVPN login page which could allow an unauthenticated, remote threat actor to conduct cross-site scripting (CSS) attacks against targeted users of the vulnerable ASA. According to Cisco, CVE-2014-2120 can be exploited simply by convincing a user, through social engineering or otherwise, to access a malicious link.  

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Cisco’s update follows a recent report that threat actors are leveraging CVE-2014-2120 and multiple other vulnerabilities in various internet-facing applications to propagate AndroxGh0st malware and connect the compromised device to the Mozi botnet.

Due to the recent exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2014-2120 to its Known Exploited Vulnerabilities (KEV) catalog and has ordered federal agencies to secure affected devices.

Source: The Hacker News

Analysis

The exploitation of CVE-2014-2120 highlights the importance of patching vulnerable devices and software within a reasonable time frame. Given that Cisco disclosed and patched this vulnerability in 2014, it’s unfortunate, and irresponsible, that some systems remain unpatched 10 years later.

According to the Shadowserver Foundation, there are approximately 23,000 Cisco ASAs deployed worldwide, the majority of which are in the U.S. Although it’s likely that only a small portion of deployed ASAs remain vulnerable to CVE-2014-2120, it still represents a relatively large potential attack surface that threat actors will no doubt seek to take advantage of.

Image 1: Internet-exposed Cisco ASA deployments (Source: The Shadowserver Foundation)

Cisco’s ASA products have a history of being targeted by sophisticated threat actors. For example, in April 2024, the state-sponsored threat actor UAT4356 exploited two zero-day vulnerabilities in Cisco’s ASA and Firepower Threat Defense (FTD) firewalls to compromise government networks in a campaign dubbed ArcaneDoor.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect MDR portal.

Field Effect strongly encourages users of vulnerable Cisco ASAs to install the latest security patch as soon as possible in accordance with Cisco’s advisory.

Related Articles

• Cisco shuts ‘ArcaneDoor’ on exploitation of firewall zero days
• Critical vulnerability found in Cisco Unified Communications products
• Zero-day in thousands of Cisco IOS XE devices exploited