Last week, a PoC exploit appeared on the network for a vulnerability that was fixed last year, and now Cisco ASA routers and FTD firewalls are being attacked by hackers and information security researchers.
The attacks began after Positive Technologies tweeted a simple PoC exploit for the CVE-2020-3580 XSS problem , which the company discovered and helped fix last October.
Just an hour after this publication, Positive Technologies researcher Mikhail Klyuchnikov reported that PoC is already being used by bug hunters to find entry points to corporate networks, which some of them reported to companies in the hope of getting a bug bounty.
But the exploit was of interest not only to researchers. For example, Tenable reports that it received at least one report that this bug was exploited by hackers.
Fortunately, CVE-2020-3580 is not nearly as dangerous as some of the past flaws in Cisco products. The fact is that to exploit this problem, you need to force a user with administrator rights to follow a malicious link, and such a scenario clearly excludes the massive use of the bug. But in case of a successful attack, CVE-2020-3580 allows you to execute malicious code in the ASA and FTD control panel with administrator rights.
It is also worth noting that in May 2021, older Cisco devices were subjected to another series of attacks. The malicious campaign detected by Lumen’s specialists targeted devices with Smart Install enabled and accessible over the Internet.
Using the old vulnerability CVE-2018-0171 , an unknown hacktivist gained access to vulnerable devices and rewrote their configuration files, adding the text of the anti-western manifest to them , which caused the device routing mechanisms to fail.
According to researchers, about 100 of the 18,000 Cisco devices still vulnerable to the 2018 bug were affected by this attack, with the majority of the victims in the United States.
