Decade-Old Cisco Vulnerability Under Active Exploit
Cisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.
December 3, 2024
NEWS BRIEF
Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors.
The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack.
In 2014, Cisco noted that "the vulnerability is due to insufficient input validation of a parameter," adding that an attacker could exploit the vulnerability by convincing the user to click on a malicious link.
Cisco now reports it became aware of in-the-wild exploitation attempts in November 2024 and recommends that customers upgrade to a fixed software release to mitigate the vulnerability. There are no workarounds for this flaw.
"Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity, that legacy vulnerabilities often remain unaddressed due to the sheer volume of security issues organizations face today," Meny Har, CEO and co-founder of Opus Security, said in an emailed statement to Dark Reading. "Without effective prioritization frameworks, critical vulnerabilities can slip through the cracks."
Read more about:
news briefsAbout the Author
You May Also Like