A decade-old security flaw is being actively exploited, according to a warning issued by Cisco.

This vulnerability, tracked as CVE-2014-2120, affects Cisco’s Adaptive Security Appliance (ASA). It involves an inadequate input validation in ASA's WebVPN login page, which an unauthenticated, remote actor could leverage to engage a cross-site scripting (XSS) attack. 

“These attacks highlight how technical debt and low cybersecurity maturity can compound risk,” says Jason Soroko, Senior Fellow at Sectigo. “Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats. If adversaries can exploit older flaws, they will.  Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make.”

Casey Ellis, Founder and Advisor at Bugcrowd, adds, “These attacks highlight, reinforce, and emphasize the importance of attack surface management. Equipment with exploitable vulnerabilities this old have often simply been forgotten, lost in an M&A process, or otherwise left off an IT maintenance or hardware refresh list. Attackers are aware of this phenomenon and the plethora of opportunistic targets it provides for them. While a ten year old bug might seem absurd, firewall and routing infrastructure like Cisco ASA is often “seen and not heard,” making it more likely to be neglected, forgotten, or overlooked. Finding enough boxes with the same exploitable vulnerability to justify a malicious campaign is not only possible for attackers, it makes good sense as a targeting strategy.”