Source: Kristoffer Tripplaar via Alamy Stock Photo
NEWS BRIEF
Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors.
The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack.
In 2014, Cisco noted that "the vulnerability is due to insufficient input validation of a parameter," adding that an attacker could exploit the vulnerability by convincing the user to click on a malicious link.
Cisco now reports it became aware of in-the-wild exploitation attempts in November 2024 and recommends that customers upgrade to a fixed software release to mitigate the vulnerability. There are no workarounds for this flaw.
"Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity, that legacy vulnerabilities often remain unaddressed due to the sheer volume of security issues organizations face today," Meny Har, CEO and co-founder of Opus Security, said in an emailed statement to Dark Reading. "Without effective prioritization frameworks, critical vulnerabilities can slip through the cracks."