Zero-day vulnerability in Cisco Adaptive Security Appliance (ASA)

Authentication bypass using an alternate path or channel
CVE-2023-20269

Vulnerability details

Advisory: SB2023090728 - Authentication bypass using an alternate path or channel in Cisco Adaptive Security Appliance and Firepower Threat Defense

Vulnerable component: Cisco Adaptive Security Appliance (ASA)

CVE-ID: CVE-2023-20269

CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N/E:H/RL:O/RC:C

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Description:

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. A remote user can perform a brute-force attack and establish a clientless SSL VPN session with an unauthorized user.

Note, the vulnerability is being actively exploited in the wild.