A formerly patched Cisco ASA security vulnerability is being actively exploited by threat actors after its exploit PoC was posted on Twitter.

The Cisco ASA vulnerability:

Cisco ASA i.e Adaptive Security Appliance is a family of network security devices from Cisco that provide firewall, intrusion prevention (IPS), and virtual private network (VPN) capabilities. Introduced in 2005, the ASA brand superseded Cisco’s stand-alone PIX firewalls, IPS, and VPN devices.

The Cisco ASA vulnerability, tracked as CVE-2020-3580, is a cross-site scripting security (XSS) vulnerability and was primarily detected back in October 2020.

Cross-site scripting is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Also read,

When CVE-2020-3580 was first detected, it was addressed with a security patch, however, the initial patch was found to be incomplete. Subsequently, a supplementary patch was issued in April 2021.

The vulnerability can provide malicious entities with the ability to deploy phishing emails or malicious links to a Cisco ASA device user. The threat actors can then execute malicious JavaScript commands in the victim’s browser. 

“A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information,” states the Cisco security advisory regarding the Cisco ASA vulnerability.

PoC gives way to exploit attacks by threat actors:

A proof-of-concept i.e PoC is usually published by security experts for a vulnerability that has already been patched up for a software product or device and a sufficient time has elapsed for devices to have upgraded. PoCs help in sharing how organizations detect and prevent associated attacks.

With a similar agenda, security researchers from Positive Technologies Offensive Team published a PoC exploit for the Cisco ASA CVE-2020-3580 vulnerability on Thursday via Twitter.

The PoC displays a JavaScript alert in the user’s browser when they visit a specially crafted malicious webpage. However, the malicious webpage could have executed other JavaScript commands to perform malicious activity.

However, in an unexpected turn of events, shortly after the PoC was made public, cybersecurity organization Tenable reported that threat actors are actively exploiting the Cisco ASA vulnerability and were compromising the devices that had not applied the security patch.

“Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,” said Tenable.

Details regarding the nature of the malicious activities that were being performed after abusing the Cisco ASA bug were not disclosed by the security company.

Since such new developments have come forth, with threat actors actively exploiting the Cisco ASA vulnerability, users are recommended to promptly apply the relevant security fix to avoid any possibilities of cyberattacks.