Cisco warns that a decade-old vulnerability is back and targeting users
- A cross-scripting bug plaguing Cisco’s Adaptive Security Appliance is being actively exploited, the company warns
- The error was first discovered ten years ago
- CISA added it to KEV and alerted federal agencies to patch
Cisco has updated a decade-old advisory to warn users that the age-old vulnerability is now being actively exploited in the wild to spread malware.
Spotted by The hacker newsThe advisory concerns a cross-site scripting (XSS) vulnerability that affects the WebVPN login page for the Cisco Adaptive Security Appliance (ASA) software.
The vulnerability was spotted in 2014 and has since been tracked as CVE-2014-2120. It has a severity score of 6.1 (moderate) and allows threat actors to remotely inject arbitrary web script or HTML via an unspecified parameter.
A wave of abuse
“An attacker could exploit this vulnerability by convincing a user to access a malicious link,” Cisco said at the time.
However, earlier this week the company updated its advisory, saying it has observed “additional attempts to exploit” the bug in the wild.
The discovery also prompted the US Cybersecurity and Infrastructure Agency (CISA) to add the bug to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and neighboring organizations have a three-week deadline to patch the software or stop using it altogether. CISA added the bug on November 12, meaning the deadline for patching was December 3.
If you are using Cisco’s ASA, it would be wise to patch the software without hesitation. Cybercriminals are known to exploit age-old vulnerabilities because they already have working exploits and can be easily exploited.
For example, in late 2023, news emerged of threat actors exploiting a six-year-old flaw in Microsoft’s Excel to deliver an information-stealing piece of malware called Agent Tesla. In 2020, it was also discovered that crooks were using a three-year-old Office bug to target companies in the real estate, entertainment and banking sectors in both Hong Kong and North America.
Some researchers argue that old vulnerabilities are more dangerous than zero-day vulnerabilities because the practice is already established. However, these vulnerabilities are also easiest to resolve by simply keeping the software up to date.
Via The hacker news