A security vulnerability from ten years ago has recently been exploited in the wild again: CVE-2014-2120, first recognized in March 2014, is a vulnerability in Cisco Adaptive Security Appliance’s (ASA) WebVPN login page. In November 2024, additional exploitation of this vulnerability was detected in connection with the Androxgh0st botnet.
The new exploitation of this vulnerability demonstrates the ongoing significance of legacy vulnerabilities persisting in modern threat landscapes. Legacy tools and systems are often left to the wayside without regular patching, updating, or assessment. Exploiting old vulnerabilities is one way that threat actors attempt to evade security measures to increase the success of their attacks.
The Nature of CVE-2014-2120
This issue arises from insufficient input validation in the ASA WebVPN login page, and it can enable unauthenticated remote users to carry out cross-site scripting (XSS) attacks. In an alert released when the vulnerability was first discovered, Cisco stated that CVE-2014-2120 could be exploited by an attacker deceiving a user into clicking a malicious link.
The vulnerability allows remote users with unauthorized access to inject HTML code or web script, opening up the possibility for malware and other attacks. Consequences of XSS attacks like this can vary wildly, including the breach of sensitive data, credential theft, financial losses, and more.
Resurgence of Threat
As discovered by CloudSEK, this vulnerability has been exploited again in the wild as part of a recent campaign by the attackers behind the Androxgh0st botnet. Androxgh0st is a “Python-based cloud attack tool” known to be used in attacks targeting sensitive data. It has been used in this recent campaign, exploiting a wide variety of vulnerabilities, many of which are legacy issues like CVE-2014-2120.
Cisco’s updated advisory on the vulnerability warns of new active exploitation of the vulnerability detected in November 2024. It echoes previous recommendations regarding using newer software that fixes the vulnerability.
Broader Context: Threat Actors and Legacy Vulnerabilities
Unpatched vulnerabilities, and particularly legacy issues that are less likely to be on an organization’s radar, play a crucial role in threat actors’ toolkits. “Equipment with exploitable vulnerabilities this old have often simply been forgotten, lost in an M&A process, or otherwise left off an IT maintenance or hardware refresh list,” says Casey Ellis, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. “Attackers are aware of this phenomenon and the plethora of opportunistic targets it provides for them.”
As noted above, the Androxgh0st exploitation of CVE-2014-2120 is part of a larger campaign revealed by CloudSEK shortly before Cisco’s updated advisory was released. The actors behind the botnet are also deploying Mozi botnet malware, exploiting a range of vulnerabilities to attack internet of things (IoT) devices and cloud services.
Lessons for Security Teams
The resurgence of a vulnerability from ten years ago emphasizes the importance of updating legacy systems. “These attacks highlight how technical debt and low cybersecurity maturity can compound risk,” according to Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats. If adversaries can exploit older flaws, they will.”
There are a number of ways that organizations can mitigate the risks associated with attacks like this. Organizations are encouraged to update all software when possible, patch vulnerabilities, invest in advanced and adaptable security measures to handle the constant evolution of the modern threat landscape, regularly reassess and test security measures to confirm ongoing effectiveness, and use network segmentation to prevent any threats to legacy systems from advancing into other areas.
Cisco’s Response and Recommendations
The advisory from Cisco states that free software updates are not available, and there are no workarounds for this vulnerability. Organizations are recommended to go through their usual support channels to upgrade to a version of software that contains a fix for the vulnerability. They should also consult service providers for any products provided through third-party support organizations.
In order to respond to this threat, it is crucial to raise awareness among organizations still using ASA appliances. Many may have allowed vulnerabilities like this to go unpatched and unmitigated as legacy software gets out of date and is not regularly updated and evaluated.
Closing Thoughts
The new exploitation of this old vulnerability is not an isolated incident. Threat actors are targeting unpatched vulnerabilities in legacy tools to take advantage of software that organizations are not always monitoring or tracking to ensure ongoing security. The fact that this vulnerability is still able to be exploited in the wild is indicative of the fact that many organizations have not upgraded to software that fixes the vulnerability, even ten years after it was discovered.
Proactive vulnerability management is a crucial part of any organization’s cybersecurity strategy. It is vital for all organizations to take steps to mitigate and patch vulnerabilities in all of their software, keep track of the threat landscape, and stay vigilant for issues in legacy systems.
