- Critical Patch Alert: Cisco ASA users must urgently address a 10-year-old WebVPN vulnerability (CVE-2014-2120) that attackers are now actively exploiting.
- XSS Risk Identified: The flaw allows unauthenticated attackers to perform cross-site scripting (XSS) attacks via malicious links, potentially compromising sensitive data and injecting malware.
- Active Exploitation: Recent reports highlight that malware like AndroxGh0st is leveraging CVE-2014-2120, prompting Cisco to update its advisory in November 2024.
- Government Action Required: CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, mandating federal agencies to patch it by December 3, 2024.
- No Workaround Available: Upgrading the Cisco ASA software to a patched version is the only solution—reach out to Cisco support or service providers to secure your network.
If you are using a Cisco Adaptive Security Appliance (ASA) for your network security, it is time to patch a critical vulnerability that’s been around, surprisingly, for ten years.
Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA.
This vulnerability, tracked as CVE-2014-2120, is a medium-severity vulnerability caused due to insufficient input validation of a parameter, which could be exploited by convincing a user to access a malicious link. Clicking this link can force them into giving away sensitive information, hijacking browsing sessions, or even injecting malware.
The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug.
In November 2024, the Cisco Product Security Incident Response Team (PSIRT) identified this emerging pattern of new exploitation attempts. This coincides with a report from security firm CloudSEK, which revealed that malware called AndroxGh0st is using CVE-2014-2120 (among others) to spread.
It is worth noting that CISA added CVE-2014-2120 to its KEV (Known Exploited Vulnerabilities) catalogue on November 12, requiring government agencies to address it by December 3, 2024.
The re-exploitation of this flaw shows the need for timely software updates and security patches. Unfortunately, there’s no quick fix or workaround for this vulnerability. Your only protection is to upgrade your Cisco ASA software to a version that includes a patch. Don’t wait – contact your Cisco support channel and get the update process rolling. Upgrading is crucial to ensure your network remains secure.
Customers with Cisco products that are provided or maintained through agreements with third-party support organizations like Cisco Partner/resellers/service providers should consult their service providers to identify the best workaround or fix for their networks before deployment.
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed in on the situation stating, “These attacks highlight how technical debt and low cybersecurity maturity can compound risk. Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats.“
“If adversaries can exploit older flaws, they will. Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make,” Jason explained.
