Ransomware group actively exploits Cisco VPN zero-day vulnerability, posing a critical threat to corporate networks. Learn how to protect your organization

Continue reading
Cisco has issued a warning about a zero-day vulnerability, tracked as CVE-2023-20269, affecting its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. Ransomware operations are actively exploiting this vulnerability to gain initial access to corporate networks.
The zero-day vulnerability in question has a medium severity rating and primarily impacts the VPN feature of Cisco ASA and Cisco FTD. It allows unauthorized remote attackers to conduct brute-force attacks against existing accounts.
By exploiting this vulnerability and accessing compromised accounts, attackers can establish a clientless SSL VPN session within the breached organization's network. The repercussions of this unauthorized access can vary significantly based on the victim's network configuration.
This development comes after recent reports indicated that ransomware gangs, such as Akira and LockBit, were breaching corporate networks through Cisco VPN devices, with suspicions of an undisclosed vulnerability.
The CVE-2023-20269 vulnerability is located within the web services interface of Cisco ASA and Cisco FTD devices, explicitly affecting the authentication, authorization, and accounting (AAA) functions.
The flaw arises from improperly separating the AAA functions and other software features, allowing attackers to send authentication requests to the web services interface without limitations. This enables them to conduct brute force attacks using countless username and password combinations, all without being rate-limited or blocked for abuse.
To successfully carry out brute force attacks, the targeted Cisco appliance must meet specific conditions:
For devices running Cisco ASA Software Release 9.16 or earlier, successful authentication allows the attacker to establish a clientless SSL VPN session without additional authorization, posing a significant security risk.
To establish this session, the following conditions must be met:
While Cisco is actively working on a security update to address CVE-2023-20269, system administrators are strongly advised to take immediate action to mitigate the risks associated with this vulnerability. The following steps are recommended:
It's crucial to note that multi-factor authentication (MFA) is an effective measure to mitigate the risk associated with this vulnerability. Even if attackers successfully brute force account credentials, MFA would prevent them from hijacking secured accounts to establish VPN connections.
Rapid7's managed detection and response (MDR) teams have closely monitored threat activity related to Cisco ASA SSL VPN appliances. They observed increased threat activity dating back to March 2023, with adversaries conducting various attacks.
The attacks showed no clear pattern in terms of target organizations or verticals. Victims varied in size and spanned across sectors, including healthcare, professional services, manufacturing, oil and gas, and others.
Rapid7 identified several IP addresses associated with source authentication events to compromised internal assets and outbound connections from the AnyDesk remote desktop application. The list of IP addresses, along with other IOCs, provides valuable insights for threat detection and response.
In parallel with incident response investigations, Rapid7's threat intelligence teams monitored underground forums and Telegram channels for discussions related to these attacks. They discovered a guide on breaking into corporate networks, which included chapters on SSL VPN brute forcing. This guide was being sold for a significant sum on the dark web.
To strengthen security posture and mitigate the risks associated with these attacks, organizations are advised to take the following measures:
Cisco has confirmed the existence of the CVE-2023-20269 vulnerability and is actively working on a security update. They have provided interim workarounds to address the issue until fixes become available.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.