Cisco on Monday updated an advisory covering a decade-old vulnerability to warn customers about in-the-wild exploitation. 

The vulnerability is tracked as CVE-2014-2120 and it has been described as a medium-severity cross-site scripting (XSS) vulnerability affecting the WebVPN login page of Cisco Adaptive Security Appliance (ASA) products.

According to the networking giant, an unauthenticated, remote attacker can exploit the vulnerability to conduct XSS attacks against WebVPN users by getting them to click on a malicious link.

Cisco published its initial advisory for CVE-2014-2120 in March 2014, when it informed customers that they should reach out to support channels to obtain a patched software version.

“In November 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” Cisco said in an update added on December 2.

Cisco’s update comes after the cybersecurity agency CISA added CVE-2014-2120 to its Known Exploited Vulnerabilities (KEV) catalog on November 12, instructing government agencies to address the flaw in their environments by December 3. 

CISA’s KEV update came just days after cybersecurity firm CloudSEK published a blog post describing significant changes in the Androxgh0st botnet, including the exploitation of multiple vulnerabilities for initial access to systems, and a potential operational integration with the Mozi botnet, which was shut down by Chinese authorities in late 2023. 

CloudSEK has seen the Androxgh0st botnet attempting to exploit vulnerabilities in Cisco, Atlassian, Metabase, Sophos, Oracle, OptiLink, TP-Link, Netgear, and GPON products, as well as in PHP and a WordPress plugin. The list of exploited flaws includes the Cisco ASA vulnerability CVE-2014-2120. 

The security firm saw hundreds of devices that had been compromised by the Androxgh0st botnet. 

In the case of CVE-2014-2120, the threat actor has attempted to exploit it using specially crafted requests that would enable them to remotely upload arbitrary files and add malicious code to PHP files on the server, for persistence and further backdooring. 

According to previous reports, Androxgh0st enables cybercriminals to gain access to websites and business systems, and obtain sensitive information such as credentials. They can abuse compromised systems to conduct further attacks, including cryptocurrency mining and DDoS attacks. 

Related: ProjectSend Vulnerability Exploited in the Wild

Related: 400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws

Related: Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign

Related: Citrix, Cisco, Fortinet Zero-Days Among 2023’s Most Exploited Vulnerabilities