Cisco warns of active exploit of 10 years old Cisco ASA vulnerability
Take action: If you haven't patched your Cisco ASA for 10 years and are still using them, SHAME ON YOU. It's very possible that your Cisco ASA is out of support and you won't be able to patch it without paying now. So move away from the WebVPN of Cisco ASA and replace it - as it's probably long after it's end of life. Othewise patch, or if all else fails, wait to be hacked.
Learn More
Cisco has issued a warning about active exploitation of a decade-old vulnerability (CVE-2014-2120) affecting its Adaptive Security Appliance (ASA) software's WebVPN feature.
The company confirmed detection of exploitation attempts in November 2024
Vulnerability details
- CVE-2014-2120 (CVSS score 6.1) - Cross-site scripting (XSS) - The vulnerability stems from insufficient input validation in the ASA WebVPN login page parameter, allowing an unauthenticated remote attacker to conduct cross-site scripting attacks. Successful exploitation requires convincing users to click on malicious links.
Cisco's Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts as of November 2024. The company emphasizes that no workarounds exist for this vulnerability, and strongly recommends that customers upgrade to a fixed software release immediately.
