- A cross-scripting bug plaguing Cisco’s Adaptive Security Appliance is being actively exploited, the company warns
- The flaw was first discovered a decade ago
- CISA added it to KEV, and warned federal agencies to patch
Cisco has updated a decade-old advisory to warn users that the ancient vulnerability is now being actively exploited in the wild to spread malware.
Spotted by The Hacker News, the advisory is for a cross-site scripting (XSS) vulnerability affecting the WebVPN login page for the Cisco Adaptive Security Appliance (ASA) Software.
The vulnerability was spotted in 2014, and has since been tracked as CVE-2014-2120. It has a severity score of 6.1 (medium), and allows threat actors to remotely inject arbitrary web script or HTML via an unspecified parameter.
A surge in abuse
“An attacker could exploit this vulnerability by convincing a user to access a malicious link,” Cisco said at the time.
Earlier this week, however, the company updated the advisory, saying it observed “additional attempted exploitation” of the bug in the wild.
The discovery has also prompted the US Cybersecurity and Infrastructure Agency (CISA) to add the bug to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and adjacent organizations have a three-week deadline to patch the software, or stop using it altogether. CISA added the bug on November 12, meaning that the deadline for patching was December 3.
If you are using Cisco’s ASA, it would be wise to patch the software up without hesitation. Cybercriminals are known to take advantage of age-old vulnerabilities, since they already have working exploits and can easily be abused.
For example, late in 2023, news broke of threat actors abusing a six-year-old flaw in Microsoft’s Excel to deliver an information-stealing piece of malware called Agent Tesla. Also, in 2020, it was found that crooks were using a three-year-old Office bug to target businesses in the real estate, entertainment and banking industries in both Hong Kong and North America.
Some researchers would argue that old vulnerabilities are more dangerous than zero-day ones, since the practice is already established. However, these vulnerabilities are also easiest to address, by simply keeping the software up to date.
Via The Hacker News