Cyber Resilience

CVE-2023-20269

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 06 September 2023

Published
06 September 2023
Modified
28 October 2025
KEV Added
13 September 2023
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
EPSS Score 0.0119 79.2th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20269 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 5.0 (Medium).

Operationally, ranked in the top 20.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-5 (Separation of Duties).

Deeper analysis

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software stems from improper separation of authentication, authorization, and accounting (AAA) controls between the remote access VPN feature and the HTTPS management and site-to-site VPN features. The flaw, tracked as CVE-2023-20269, carries a CVSS score of 5.0 and is associated with CWE-288 and CWE-863.

An unauthenticated remote attacker can exploit the issue to conduct brute-force attacks against default connection profiles or tunnel groups in an attempt to discover valid username and password combinations. An authenticated remote attacker can also leverage the same weakness to establish a clientless SSL VPN session under an unauthorized user account when running Cisco ASA Software release 9.16 or earlier; successful exploitation does not bypass authentication requirements such as multi-factor authentication and cannot be used to establish client-based remote access VPN tunnels.

The official Cisco Security Advisory states that software updates are being released to address the vulnerability and that workarounds are available. The CVE is listed in CISA’s Known Exploited Vulnerabilities catalog.

EPSS scores for the vulnerability rose from a low baseline to a recorded peak of 0.0411, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid…

more

username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

CWE(s)
KEV Date Added
13 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
adaptive security appliance software
9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1
cisco
firepower threat defense
6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the root cause of improper AAA separation between remote-access VPN, HTTPS management, and site-to-site VPN features.

prevent

Enforces distinct access-control decisions per connection profile/tunnel group so default profiles cannot be abused for brute-force or unauthorized clientless sessions.

prevent

Limits the number of failed logon attempts against the exposed default profiles, directly mitigating the brute-force vector described in the CVE.

References