Cisco issues emergency fix for VPN tool, users told to update now

An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.

(Image credit: Getty Images)

Cisco has issued an emergency fix for bugs in some of its software which are being actively exploited in the wild.

According to a security advisory from the company, the flaw that was patched was found in Adaptive Security Appliance (ASA), and in Firepower Threat Defense (FTD). It is described as a resource exhaustion vulnerability, tracked as CVE-2024-20481. It was given a medium severity rating of 5.8.

Describing the theory behind the attack, Cisco says an attacker could send a large number of VPN authentication requests to a vulnerable device, exhausting its resources. That leads to a Denial-of-Service (DoS) state of the Remote Access VPN (RAVPN) service. Furthermore, since the attackers are sending authentication requests, one just might work (depending on the strength of the login credentials), giving the miscreants unauthorized network access.

Abused in the wild

Depending on the impact of the attack, the victims may need to restore the RAVPN service, Cisco explained.

The good news is that the bug affects only those devices with remote access VPN (RAVPN) service enabled. The bad news is the bug is actively being exploited in the wild, and there is no workaround. Cisco said it is "aware of malicious use of the vulnerability that is described in this advisory," and the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog.

Cisco’s VPN tools are hugely popular across the world, and are being equally used by both SMBs and large enterprises. Therefore, they are a major target for cybercriminals looking to weasel their way into corporate IT infrastructure.

In fact, the company’s cybersecurity department, Talos, recently warned it’s tracking an increase in brute-force attacks against VPNs, The Register reminds. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos said.

More from TechRadar Pro

Cisco takes its developer hub offline following data theft
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.