IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco flaw under attack after researchers publish exploit PoC

Hackers are launching XSS attacks against unpatched Cisco ASA systems

Hackers are targeting a vulnerability in Cisco’s Adaptive Security Appliance (ASA) after security researchers published a proof-of-concept (PoC) for a successful exploit.

Positive Technologies SWARM, the security company’s offensive research team, published an exploit PoC for the flaw tracked as CVE-2020-3580 last week. This was originally patched in October 2020 alongside CVE-2020-3581 through to CVE-2020-3583.

This issue, which is considered to be moderately severe, concerns multiple vulnerabilities in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software. 

On unpatched systems, Cisco ASA/FTD software web services don’t sufficiently validate user-supplied inputs. To exploit the bug successfully, hackers would need to convince a user on the interface to click on a malicious link. The vulnerability is rated 6.1 out of ten on the CVSS threat severity scale.

Exploitation could allow an attacker to remotely conduct cross-site scripting (XSS) attacks on affected devices that haven’t been patched. Cisco ASA Software is the core operating system that powers the Cisco ASA family, comprising devices that offer firewall tools among other security-oriented services.

Since the PoC was posted online, Positive Technologies researcher Mikhail Klyuchnikov reported that many other researchers are also chasing bug bounties for this vulnerability. Tenable researchers have also reported that attacks are exploiting CVE-2020-3580.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

Cisco issued a patch for this flaw in October 2020, but the fix for CVE-2020-3581 was only partial, and the company had to issue a second patch in April this year. As of last July, there were 85,000 ASA/FTD devices distributed across the business landscape. 

Cisco Adaptive Security Appliance (ASA) Software is the core operating system that powers the Cisco ASA family. It offers firewall tools for various ASA devices, with ASA Software also integrating with other critical security technologies to deliver security-oriented products. 

Businesses are being advised to patch their systems with the latest update to avoid falling victim to successful attacks.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Cisco patches critical bugs in collaboration products
vulnerability

Cisco patches critical bugs in collaboration products

3 Mar 2022
Cisco patches bug that could break its email security service with a single message
cyber security

Cisco patches bug that could break its email security service with a single message

17 Feb 2022
Cisco launches suite of products aimed at improving enterprise campus networks
Network & Internet

Cisco launches suite of products aimed at improving enterprise campus networks

3 Feb 2022
The IT Pro Podcast: Can 5G close the digital divide?
5G

The IT Pro Podcast: Can 5G close the digital divide?

6 Aug 2021

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Microsoft finally adds Power BI integrations to PowerPoint and Outlook
business intelligence (BI)

Microsoft finally adds Power BI integrations to PowerPoint and Outlook

25 May 2022