Cisco on Dec. 2 updated an advisory from March 18 about a 10-year-old vulnerability in the WebVPN login page of Cisco’s Adaptive Security Appliance (ASA) software that could let an unauthenticated remote attacker conduct a cross-site scripting (XSS) attack.
In its recent update, the Cisco Product Security Incident Response Team (PSIRT) said it became aware of additional attempted exploitation of this vulnerability in the wild last month.
The medium-severity vulnerability – CVE-2014-2120 – was rated 6.1 by NIST and was caused by an insufficient input validation of a parameter that could let an attacker exploit the bug by convincing a user to access a malicious link.
Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity that legacy vulnerabilities often remain unaddressed because of the sheer volume of security issues organizations face today, explained Meny Har, co-founder and CEO of Opus Security.
Har said without effective prioritization, critical vulnerabilities can slip through the cracks. Security teams need answers to questions such as: Is this vulnerability externally accessible? Does it impact essential business functions? Is it continuously exploited by threat actors? However, without proper processes in place, these questions often go unanswered, making it difficult to determine which issues require immediate action.
“This complexity is a significant reason why many legacy vulnerabilities remain unaddressed,” said Har. “When faced with millions of issues, pinpointing and prioritizing becomes daunting. Moreover, for critical or legacy equipment that cannot be replaced or patched, it’s often challenging to identify where meaningful vulnerabilities exist and where mitigating controls, such as security sensors, could effectively detect and prevent exploitation.”
Billy Hoffman, Field CTO at IONIX, added that most organizations are hardly able to keep up with new critical or high-severity issues and defer dealing with the avalanche of thousands of medium-severity CVEs that come out each year. Hoffman said couple that with IT being conservative in making changes to core business systems like VPNs, it’s not surprising that there are companies running VPN endpoints with decade old vulnerabilities.
“The lesson here is that if you are a target of advanced threat actors, you need to care about the medium-severity issues, especially in critical infrastructure,” said Hoffman. “Most people would say ‘a medium-level XSS is no big deal,’ but this is an XSS in a web VPN, meaning bad actors can hijack a user session and can impersonate them and use their privileges inside the organization. This issue, combined with a targeted email attack to trick someone with elevated privileges to click a link, makes this medium-severity XSS become a powerful chain attack.”
Casey Ellis, founder and advisor at Bugcrowd, said these attacks highlight and reinforce the importance of attack surface management. Ellis said equipment with exploitable vulnerabilities this old have often simply been forgotten, lost in a long M&A process, or otherwise left off an IT maintenance or hardware refresh list.
“Attackers are aware of this phenomenon and the plethora of opportunistic targets it provides for them,” said Ellis. “While a 10-year-old bug might seem absurd, firewall and routing infrastructure like Cisco ASA is often ‘seen and not heard,’ making it more likely to be neglected, forgotten, or overlooked. Finding enough boxes with the same exploitable vulnerability to justify a malicious campaign is not only possible for attackers, it makes good sense as a targeting strategy.”
Augusto Barros, vice president of product marketing at Securonix, added that the persistence of such vulnerabilities is often linked to the inherent limitations of outdated technology, including:
- Increased exposure: Older vulnerabilities have simply been around longer, offering ample time for malicious actors to identify and exploit them.
- Weaker security foundations: Legacy systems were often built with less stringent security standards and programming languages that offered fewer security controls. For instance, systems developed in C/C++ are susceptible to memory management flaws like buffer overflows, which remain a common attack vector.
- Patching challenges: Updating legacy systems often requires a complex and time-consuming process. Many lack streamlined update mechanisms, requiring manual intervention and rigorous testing to avoid disrupting critical operations.
“Today's attackers possess more sophisticated tools and techniques, while legacy systems remain frozen in time, making them easy targets,” said Barros. “Maintaining outdated technology may create significant security risks. Organizations must prioritize upgrading or replacing legacy systems to mitigate these vulnerabilities and ensure their defenses are robust enough to withstand modern threats.”
