Cisco ASA bug being actively attacked after PoC exploit published online

The vulnerability was fully patched by Cisco in April 2021

Cyber criminals are currently exploiting a security flaw in Cisco Adaptive Security Appliance (ASA) devices in active attacks following the release of proof-of-concept (PoC) exploit code on Twitter last week.

Cisco first revealed details of the cross-site scripting (XSS) bug (CVE-2020-3580) in October 2020 and also issued a fix for it. Because the initial patch was incomplete, the vendor released an additional patch for the bug in April 2021.

In its advisory, Cisco said that it was releasing patches to address multiple XSS bugs in its ASA and Firepower Threat Defense (FTD) software web services.

The vulnerabilities could allow an unauthenticated, remote attacker to send targeted malicious links or phishing emails to users to conduct XSS attacks on vulnerable ASA devices, it added.

"The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link," the firm said.

It noted that a successful exploit could enable the attacker to execute arbitrary JavaScript code in the context of the interface and access sensitive, browser-based information.

Cybersecurity firm Rapid7 warned last year that there were over 85,000 internet-accessible ASA/FTD devices as of July 2020. Of those devices, 398 were spread across 17 per cent of the Fortune 500 firms.

On Thursday, researchers from cyber security firm Positive Technologies published a PoC exploit for CVE-2020-3580 on Twitter, after which reports started to emerge that threat actors were now chasing the bug and trying to exploit it in real attacks.

Tenable said that it had received a report that hackers are exploiting CVE-2020-3580 in the wild, although it did not disclose detail about what malicious activities were being performed by cyber criminals.

After Positive Technologies team dropped the PoC exploit on Twitter, Mikhail Klyuchnikov, a researcher in the company, also tweeted that many researchers were trying to exploit the bug, which he termed as "low-hanging" fruit.

In light of the new information, Tenable is recommending that organisations prioritise patching CVE-2020-3580 to mitigate the risks associated with the flaw.

Cisco has not yet issued any additional information or update since the PoC was posted on Twitter.