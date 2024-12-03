NEWS BRIEF

Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors.

The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack.

In 2014, Cisco noted that "the vulnerability is due to insufficient input validation of a parameter," adding that an attacker could exploit the vulnerability by convincing the user to click on a malicious link.

Cisco now reports it became aware of in-the-wild exploitation attempts in November 2024 and recommends that customers upgrade to a fixed software release to mitigate the vulnerability. There are no workarounds for this flaw.

"Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity, that legacy vulnerabilities often remain unaddressed due to the sheer volume of security issues organizations face today," Meny Har, CEO and co-founder of Opus Security, said in an emailed statement to Dark Reading. "Without effective prioritization frameworks, critical vulnerabilities can slip through the cracks."