Go back to All Blog posts

Cisco VPN Zero-Day exploited by ransomware gangs (CVE-2023-20269) – Insights and best practices for defense 

Tally Netzer
September 11th, 2023

In the tech security scene, we’re always on the lookout for new vulnerabilities, especially when they are already exploited in the wild. The latest zero-day CVE-2023-20269 is hitting Cisco’s Adaptive Security Appliance VPN features. The attack surface scan conducted by IONIX research on a sample of organizations indicates that 13% of these appliances are potentially vulnerable through at least one interface. 

What is CVE-2023-20269? 

CVE-2023-20269 affects the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explained

“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials.” 

How big is the Cisco Adaptive Security Appliance attack surface? 

IONIX research scanned 400 Fortune 1000 and 100 non-US Global 500 companies and found that such enterprises have an average of 15 Cisco ASA devices deployed in their external attack surface. This number exceeds 50 instances in enterprises with a large digital footprint. 

As expected, most Cisco ASA assets are protected by multi-factor authentication (MFA). Non-intrusive scans conducted by IONIX research on a sample of the organizations indicate that 13% of these appliances are potentially vulnerable through at least one interface. These findings are well aligned with industry reports of breaches conducted by known ransomware gangs.  

What are the attack vectors? 

CVE-2023-20269 may allow: 

  • Brute force attack: An unauthenticated, remote attacker conducts a brute force attack to identify valid username and password combinations that can be used to establish an unauthorized remote access VPN session or
  • Unauthorized user session: An authenticated, remote attacker establishes a clientless SSL VPN session with an unauthorized user (but only when running Cisco ASA Software Release 9.16 or earlier)

Note that the flaw does not allow attackers to bypass authentication. Valid credentials are required to establish a VPN session. This includes a valid second factor if multi-factor authentication (MFA) is configured. 

CVE-2023-20269 exploit timeline 

In August 2023, BleepingComputer reported that an unknown vulnerability on Cisco VPN devices was being exploited to breach corporate networks. The Akira and Lockbit ransomware gangs were identified as the culprits.  

In response to these exploits, Cisco released an advisory warning that the breaches were conducted by brute forcing credentials on devices without MFA configured. 

2023 September 6, CVE-2023-20269 was published and the following security advisory was provided by Cisco.  

Note: At this time, there is no patch for this vulnerability. Users are advised to mitigate the threat by implementing MFA. 

Best practices for securing Cisco ASA devices 

  1. Identify all Cisco ASA devices in your organization.
  2. Scan the device logs for indicators of compromise as outlined in Cisco’s security advisory.
  3. Ensure that the devices are using strong authentication measures, such as MFA, as advised by Cisco.
  4. Patch the devices! Follow the Cisco security advisory for the patch. Note that at the time of writing this blog, no patch is available.

Automate the discovery of your Cisco ASA attack surface 

The threat landscape is constantly changing, and the enterprise attack surface is expanding. These are the facts. The first step in effectively responding to a new zero-day threat, like Cisco ASA CVE-2023-20269, is to expose the threat by mapping the specific attack surface.  

With automated discovery, assessment, and risk prioritization, IONIX ASM platform enables our customers to effectively accelerate their response to zero-day threats. To discover your organization’s Cisco ASA attack surface, request a scan. 

REQUEST A THREAT EXPOSURE REPORT TODAY

Discover the full extent of your online exposure so you can protect it.