Cisco has updated its advisory to inform users of ongoing exploitation attempts targeting a vulnerability in its Adaptive Security Appliance (ASA) WebVPN—a flaw first disclosed over a decade ago.
The vulnerability, identified as CVE-2014-2120 and assigned a moderate CVSS score of 4.3, originates from inadequate input validation on the WebVPN login interface. This flaw permits an unauthenticated attacker to execute cross-site scripting (XSS) attacks against unsuspecting users of the appliance.
In its original 2014 advisory, Cisco explained, “Exploitation requires persuading a user to click on a maliciously crafted link, enabling the attacker to inject harmful scripts.”
As of December 2, 2024, Cisco has revised its guidance, acknowledging “new incidents of exploitation” detected in active campaigns.
This renewed urgency coincides with findings by cybersecurity firm CloudSEK, which highlighted the exploitation of CVE-2014-2120 by the AndroxGh0st threat group. The attackers are weaponizing a comprehensive array of vulnerabilities in publicly accessible applications, including this decade-old ASA flaw, to distribute their malware.
Additionally, the attacks are intertwined with the operations of the Mozi botnet, which facilitates further growth of the botnet’s capabilities and reach.
In response to this surge in malicious activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated the issue, incorporating CVE-2014-2120 into its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies have been mandated to address the flaw by December 3, 2024.
Cisco ASA users are strongly urged to apply the latest updates and implement robust security measures to fortify their systems against potential intrusions. Proactive maintenance is essential to mitigate the risks posed by both legacy and emerging cyber threats.