Security News > 2023 > September > Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco warns of VPN zero-day exploited by ransomware gangs
2023-09-08 13:32

Cisco is warning of a zero-day vulnerability in its Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense that is actively exploited by ransomware operations to gain initial access to corporate networks.

The medium severity zero-day vulnerability impacts the VPN feature of Cisco ASA and Cisco FTD, allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.

Last month, BleepingComputer reported that the Akira ransomware gang was breaching corporate networks almost exclusively through Cisco VPN devices, with cybersecurity firm SentinelOne speculating that it may be through an unknown vulnerability.

A week later, Rapid7 reported that the Lockbit ransomware operation also exploited an undocumented security problem in Cisco VPN devices in addition to Akira.

This week, Cisco confirmed the existence of a zero-day vulnerability that was used by these ransomware gangs and provided workarounds in an interim security bulletin.

The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting functions.


News URL

https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-06 CVE-2023-20269 Incorrect Authorization vulnerability in Cisco Adaptive Security Appliance Software
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features.
network
low complexity
cisco CWE-863
critical
9.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751