Cisco has recently unveiled and addressed a zero-day vulnerability that was exploited in a brute force password spraying attack observed in April. The vulnerability, known as CVE-2024-20481, impacts the Remote Access VPN (RAVPN) service of Cisco Adaptative Security Appliance (ASA) and Firepower Threat Defense (FTD) software. If successfully exploited, this vulnerability could potentially lead to a denial-of-service (DoS) of the RAVPN, enabling an unauthenticated remote attacker to cause disruption.
Following the discovery of this zero-day vulnerability, Cisco took swift action to disclose and patch the issue. Interestingly, the vendor first came across this vulnerability while investigating a brute force password spraying campaign that took place in April. As part of their response, Cisco has advised organizations to closely monitor authentication request volumes to identify any signs of a password spraying attack.
In their security advisory, Cisco warned that exploiting this vulnerability could result in resource exhaustion and a subsequent DoS of the RAVPN service on the affected device. In some cases, a device reload may be necessary to restore the service. However, it is worth noting that services unrelated to VPN are not impacted by this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-20481 to its Known Exploited Vulnerabilities list, underlining the severity of this issue.
In an April blog post, Cisco shared details about a global brute force campaign targeting various products, including VPN services, that had been ongoing since at least March. Noteworthy products affected by this campaign included VPN solutions from several vendors, such as Check Point Software Technologies, Fortinet, and SonicWall, in addition to Cisco’s own Secure Firewall VPN.
While CVE-2024-20481 was assigned a medium-severity CVSS score of 5.3, Cisco ASA and FTD vulnerabilities have historically been attractive targets for threat actors. Earlier this year, Cisco disclosed two zero-day flaws in ASA and FTD software that were exploited by nation-state threat actors aiming to infiltrate government networks. Moreover, the “2024 Cyber Claims Report” released by cyber insurer Coalition highlighted a significant surge in policyholder claims related to ASA devices in 2023, further emphasizing the importance of addressing vulnerabilities in networking equipment.
As the cybersecurity landscape continues to evolve, organizations are urged to remain vigilant and proactive in addressing potential security threats. By promptly addressing vulnerabilities like CVE-2024-20481 and implementing robust security measures, companies can enhance their resilience against cyber threats and safeguard their critical infrastructure.
Arielle Waldman, a news writer for TechTarget Editorial specializing in enterprise security, contributed to this report. For further insights and updates on cybersecurity developments, stay tuned to TechTarget Editorial.