Name of the Vulnerable Software and Affected Versions
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software versions prior to and including v9.22.x, including v9.8.x, v9.12.x, v9.14.x, v9.16.x, v9.17.x, v9.18.x, v9.19.x, and v9.20.x
Cisco Secure Firewall Threat Defense (FTD) Software versions prior to and including v7.7.x, including v7.0.x, v7.2.x, v7.4.x, v7.6.x
Description
A flaw exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This issue is due to improper validation of user-supplied input in HTTP(S) requests, specifically a buffer overflow. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary code as root on an affected device, potentially leading to a complete system compromise. Approximately 55,852 devices are currently exposed on the internet. This vulnerability is actively being exploited by attackers, including state-sponsored actors, to deploy malware such as RayInitiator and LINE VIPER. The API endpoints used in exploitation involve HTTP(S) requests. The vulnerability stems from improper handling of crafted HTTP requests containing malicious input. The vulnerability is triggered by sending specially formed HTTP requests to the affected device.
Recommendations
Update Cisco ASA Software to a version later than v9.22.x
Update Cisco FTD Software to a version later than v7.7.x
Restrict or disable exposed management interfaces to minimize the risk of exploitation.
Monitor logs for suspicious activity.
Follow CISA’s emergency directives if managing federal systems.