Cisco has confirmed that a decade-old cross-site scripting (XSS) vulnerability in its Adaptive Security Appliance (ASA) Software is currently being actively exploited in the wild.

The vulnerability, identified as CVE-2014-2120, affects the WebVPN login page and could allow unauthenticated, remote attackers to conduct XSS attacks against users of the WebVPN service.

Originally disclosed in March 2014, the vulnerability stems from insufficient input validation of a parameter on the WebVPN login page.

Attackers could exploit this flaw by persuading users to access a malicious link, potentially leading to the execution of arbitrary web script or HTML in the context of the affected interface.

The Cisco Product Security Incident Response Team (PSIRT) became aware of renewed exploitation attempts in November 2024, prompting a urgent advisory update.

This development highlights the persistent threat posed by older, unpatched vulnerabilities, even years after their initial discovery.

Flaw Profile

The vulnerability carries a CVSS base score of 4.3, categorized as medium severity. However, its active exploitation status significantly elevates the risk for organizations using affected Cisco ASA Software versions.

Cisco has strongly recommended that customers upgrade to a fixed software release to mitigate this vulnerability. The company emphasized that there are no workarounds available to address the issue, making patching the only effective solution.

This resurgence of CVE-2014-2120 exploitation is part of a broader trend observed by security researchers. The US Cybersecurity and Infrastructure Security Agency (CISA) recently added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, indicating its use in active attack campaigns.

The exploitation of CVE-2014-2120 has been linked to the operators of the ‘AndroxGh0st’ malware/botnet, who have incorporated this old vulnerability into their arsenal as part of a strategic expansion of their attack surface.

This security event underscores the need for continuous vigilance against both new and resurfacing vulnerabilities in critical network infrastructure components.

Cisco continues to monitor the situation and urges all customers to review their ASA Software configurations and apply the necessary updates to protect against this actively exploited vulnerability.