Cisco ASA and FTD Zero Day are used in password spraying attacks

Cisco has disclosed and patched a zero-day vulnerability that was exploited in a brute force password spraying campaign the company observed in April.

In a security advisory released on Wednesday, Cisco detailed the zero-day vulnerability, designated CVE-2024-20481, affecting software running in the Cisco Adaptative Security Appliance (ASA) Remote Access VPN (RAVPN) service and Firepower Threat Defense is used (FTD). Cisco warned that a successful exploitation could allow an unauthenticated remote attacker to cause a DoS of the RAVPN. CISA on Thursday added CVE-2024-20481 to its catalog of known exploited vulnerabilities.

While Cisco disclosed and patched the zero-day vulnerability this week, the vendor initially discovered it while investigating a brute force password spraying campaign in April. Cisco recommended that companies monitor the volume of authentication requests to determine whether they have been affected by a password spraying attack.

“A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device. Depending on the impact of the attack, a device reload may be required to restore RAVPN service. Services that are.” “Hardware unrelated to VPN is not affected,” Cisco wrote in the security alert. “Cisco Talos discussed these attacks in the blog post.”

In the April blog post, Cisco said it had been running a global brute force campaign targeting a variety of products, including VPN services, since at least March. Affected products included Cisco Secure Firewall VPN, as well as VPN products from Check Point Software Technologies, Fortinet and SonicWall.

TechTarget Editorial contacted Cisco, but the provider did not respond by press time.

While CVE-2024-20481 received a CVSS score of Medium Severity of 5.3, Cisco ASA and FTD vulnerabilities are popular targets for threat actors. Earlier this year, Cisco uncovered two zero-day vulnerabilities in ASA and FTD that were used by federal threat actors to target government networks. Additionally, cyber insurer Coalition released its “2024 Cyber ​​Claims Report” in April, which showed that policyholder claims related to ASA devices skyrocketed in 2023.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.