CVE-2014-2120

What Is Cisco ASA?

Cisco Adaptive Security Appliance (ASA) is one of the most widely deployed enterprise firewall and VPN appliances in the world. The WebVPN feature provides clientless SSL VPN access — users authenticate through a web-based portal served directly by the ASA, then access internal resources through the browser without installing a VPN client. This portal is internet-facing by design and is the authentication gateway for remote employees and contractors accessing corporate networks.

Because the WebVPN login page is the first thing a user sees when accessing a corporate VPN, it is an extremely high-value phishing and credential harvesting target. An XSS vulnerability in this page allows attackers to inject malicious JavaScript into what appears to be the legitimate corporate VPN portal.

Overview

CVE-2014-2120 is a reflected cross-site scripting (XSS) vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA). An HTTP parameter in the WebVPN login page is reflected in the HTML response without proper output encoding. An attacker crafts a URL to the organization's ASA WebVPN portal with a malicious payload in the vulnerable parameter; when a user clicks the link, the injected JavaScript executes in the context of the ASA domain in their browser — enabling session hijacking, credential theft via fake form overlays, or redirection to phishing sites. Patched in March 2014, the vulnerability was added to CISA's KEV catalog in November 2024 — confirming active exploitation a decade after the fix was available.

Affected Versions

Consult the Cisco Security Advisory for specific fixed software versions per ASA release train (8.x, 9.x). Any ASA still running pre-March-2014 WebVPN-enabled software is vulnerable.

Technical Details

Root Cause: Unencoded Reflection of HTTP Parameter

The Cisco ASA WebVPN login page processes HTTP request parameters and renders their values in the HTML page sent back to the user's browser. One or more parameters are reflected into the page's HTML output without HTML encoding — specifically without converting special characters like <, >, and " to their HTML entity equivalents.

Attack URL format:

https://vpn.corp.example.com/+CSCOE+/logon.html?fcadbadd=<script>malicious_code_here</script>

When a user follows this link, the <script> tag is injected into the login page HTML. The script executes in the security context of the ASA's WebVPN domain (e.g., vpn.corp.example.com) — the same origin as the actual VPN portal.

Attack Scenarios

Credential harvesting: The injected JavaScript overlays a fake credential form on top of the real login page, collecting usernames and passwords as users type them and exfiltrating them to an attacker-controlled server — while appearing to be the legitimate corporate VPN portal.

Session token theft: If an already-authenticated user follows the malicious link, the JavaScript can read their WebVPN session cookie (if not HttpOnly) and send it to the attacker, enabling session hijacking.

Phishing redirect: The script redirects the user to a cloned login page on an attacker-controlled domain after harvesting credentials, making the attack difficult to detect.

Why the Corporate VPN Portal Is a High-Value Target

The ASA WebVPN login page is:

• Internet-facing — accessible to any internet user
• Trusted — users expect to authenticate here with their VPN credentials
• High-value credentials — VPN credentials provide access to the internal corporate network
• URL-based attack — the entire attack is delivered via a URL that appears to point to the legitimate corporate VPN portal

Attack Characteristics

Discovery

Reported to Cisco by independent security researchers. Cisco published a security advisory and fixed software versions on March 19, 2014.

Exploitation Context

• 2024 KEV addition: CISA added CVE-2014-2120 to the KEV catalog in November 2024 — ten years after the patch — confirming that large numbers of ASA deployments remain unpatched and are actively being exploited
• VPN credential campaigns: Threat actors have increasingly targeted VPN infrastructure for initial access, particularly post-COVID-19 when remote access expanded massively; legacy ASA XSS vulnerabilities are a component of credential harvesting campaigns
• Phishing infrastructure: This XSS is particularly useful in spear-phishing campaigns because the malicious URL appears to point to the target organization's own VPN portal — bypassing link reputation checks
• Chaining with other ASA vulnerabilities: Threat actors targeting Cisco ASA infrastructure often chain multiple vulnerabilities; XSS-harvested credentials can provide access that enables exploitation of authenticated vulnerabilities
• Nation-state actors: Multiple threat groups (including those associated with ransomware and state-sponsored espionage) have targeted Cisco ASA WebVPN interfaces for credential theft

Remediation

1. Upgrade Cisco ASA software to a version that addresses CVE-2014-2120, per Cisco Security Advisory cisco-sa-20140319-cve-2014-2120. Any ASA running a version older than the March 2014 fix is vulnerable.

2. Verify the current ASA software version: In the ASA CLI, run show version. Compare against the fixed releases in the Cisco advisory.

3. Enable multi-factor authentication (MFA) for WebVPN — even if credentials are harvested via XSS, MFA prevents their use for unauthorized login.

4. Monitor WebVPN logs for unusual authentication patterns: high failure rates, logins from unexpected geographic locations, or access outside business hours.

5. Educate remote users about VPN login URL verification — warn that they should only click VPN links from known-good bookmarks or IT-provided shortcuts, not from email links.

6. Implement web application firewall (WAF) rules as a compensating control if immediate patching is not possible — rules blocking reflected XSS patterns in WebVPN request parameters.