A decade old Cisco ASA Vulnerability under active exploitation: How to defend against CVE-2014-2120

A recent update to the Cisco advisory confirmed its decade-old vulnerability in the Adaptive Security Appliance (ASA) Software has been exploited in the wild.

In March 2014, Cisco, an American multinational communications technology titan, released an advisory containing the vulnerability CVE-2014-2120. This vulnerability led to a cross-site scripting (XSS) attack affecting Adaptive Security Appliance (ASA) Software, a security appliance combining firewall, intrusion prevention, antivirus, and virtual private network (VPN) features. On December 2, 2024, over a decade later, Cisco released an update to its advisory, disclosing that CVE-2014-2120 is under active malicious attack.

The Vulnerability

This cross-site scripting (XSS) vulnerability was originally considered to be of medium severity, having received a CVSS v2 score of 4.3. But in November 2024, NVD calculated a 6.1 CVSS v3.1 score , disclosing user interaction is required for a successful exploitation. The flaw exists in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software and is a result of an insufficient input validation of a parameter. Exploitation can cause arbitrary HTML or web script to run within the context of the compromised interface. To be able to successfully exploit this vulnerability, an unauthenticated, remote attacker needs to convince a WebVPN user to access a malicious link first. Although the severity is not high, the fact that this flaw has been actively exploited significantly increases the risk and importance of this vulnerability and organizations that have integrated the affected Cisco Adaptive Security Appliance (ASA) versions in their network.

The Attack

Cisco published an update to their ten-year-old advisory, disclosing the fact that their Product Security Incident Response Team (PSIRT) discovered attempts to exploit this vulnerability in the wild. The vendor urges customers to upgrade to a fixed version of Adaptive Security Appliance (ASA) Software to remediate this vulnerability.

Although the exploitation attempts were discovered in early November, and CISA added CVE-2014-2120 to its Known Exploited Vulnerabilities (KEV) catalog on November 12th, 2024, it was not until December 2nd that Cisco shared that update with their customers. Their update came a few days after another cybersecurity firm, CloudSEK, posted about the changes in the Androxgh0st botnet, a Python-based cloud tool used for attacks on sensitive data. These changes included active exploitations of many vulnerabilities and a possible integration with Mozi botnet, another popular botnet known for distributed denial-of-service (DDoS) attacks converting IoT tools into malicious networks. In their research and observations, CloudSEK registered Androxgh0st’s exploitation attempts in Oracle, TP-Link, NetGear, Sophos, Atlassian, and Cisco vulnerabilities. Unfortunately, the exploitation and revival of old vulnerabilities is part of a larger pattern observed by security researchers; CVE-2014-2120 is just one example of many.

Current Solutions

Cisco has not published any workarounds or mitigations addressing this issue, nor has it provided users with free software updates, making patching and upgrading the only solution available. Organizations can do that by reaching out to their usual support channels. To ensure that any updates they apply are appropriate for their network setups, customers using third-party support organizations for Cisco products are advised to speak with their service providers.

How can Skybox help?

This vulnerability has been integrated into our threat intelligence feed since its discovery in 2014. Now, the Skybox Research Lab has updated the exploitation status in the feed in accordance with the vendor’s announcement that it was being exploited in the wild.

Customers who have Cisco Adaptive Security Appliance (ASA) Software integrated in their network can use the vulnerability discovery features of the Skybox Vulnerability and Threat Management solution to find the vulnerabilities. Additionally, the number of vulnerability occurrences across their company and the extent to which each asset is exposed to the pertinent attack vector will be communicated to them. Skybox also recommends compensating security steps to lower exposure risk on the customer’s network, such as network segmentation or configuration changes if necessary.

To help the organization’s security team decide how best to protect itself, a customized risk score and a prioritization of the most critical threats will be provided. These will be based on the significance of the Adaptive Security Appliance (ASA) Software in the organizational network and other factors, such as the overall CVSS score for CVE-2014-2120.

Skybox will monitor any updates about this flaw and update the threat intelligence feed with any information that may be useful for clients making risk management decisions.

Learn how Skybox proactively protects you from vulnerabilities like the one affecting Cisco ASA.