Name of the Vulnerable Software and Affected Versions
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software versions prior to and including v9.22.x, including v9.8.x, v9.12.x, v9.14.x, v9.16.x, v9.17.x, v9.18.x, v9.19.x, and v9.20.x
Cisco Secure Firewall Threat Defense (FTD) Software versions prior to and including v7.7.x, including v7.0.x, v7.2.x, v7.4.x, v7.6.x
Description
A flaw exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This issue, due to improper validation of user-supplied input in HTTP(S) requests, allows an authenticated, remote attacker to execute arbitrary code on an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, potentially leading to a complete system compromise. This vulnerability is actively being exploited in attacks, with approximately 55,852 systems exposed as of September 25th. The ArcaneDoor threat actor is known to exploit this vulnerability to deploy RayInitiator bootkit for persistence and LINE VIPER for administrative control. The affected API endpoint is the VPN web server, and the vulnerability stems from insufficient input validation in HTTP(S) requests. The vulnerable parameters are those submitted within these requests.
Recommendations
Update Cisco ASA Software to a version higher than v9.22.x.
Update Cisco FTD Software to a version higher than v7.7.x.