CVE-2024-20481

What is Cisco ASA/FTD Remote Access VPN?

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) provide Remote Access VPN (RAVPN) services — allowing remote employees to connect securely to corporate networks via AnyConnect/Secure Client VPN. RAVPN services are always internet-facing and must accept connection attempts from any IP address (employees connecting from various locations). This makes RAVPN endpoints a consistent target for credential stuffing and brute force attacks, where attackers try large volumes of username/password combinations against the VPN login.

Overview

CVE-2024-20481 is a resource exhaustion vulnerability in Cisco ASA and FTD's RAVPN service that can be triggered by a high volume of VPN authentication requests — the type of traffic generated by credential stuffing or password spray attacks. The missing release of resources after effective authentication handling causes the RAVPN service to exhaust its connection resources, resulting in a denial-of-service condition for legitimate VPN users. Cisco disclosed and patched the vulnerability on October 23, 2024; CISA added it to KEV the following day, confirming active exploitation in the context of ongoing credential stuffing campaigns.

Affected Versions

Technical Details

CWE-772 (Missing Release of Resource After Effective Lifetime). The RAVPN service allocates connection resources for each authentication attempt processed. A flaw in the resource lifecycle management causes connection resources to not be released properly after authentication fails or completes. Under high volume of authentication requests — as generated by automated credential stuffing tools — the accumulated unreleased resources exhaust the RAVPN service's connection pool. Once exhausted, legitimate VPN connections are refused, denying remote access to employees while the attack continues.

The Scope Changed (S:C) rating reflects that the impact extends beyond just the RAVPN service — a successful denial-of-service disrupts all remote workers' ability to access corporate systems, potentially affecting business operations across the entire organization, not just the ASA/FTD device itself.

Discovery

Identified in the context of widespread credential stuffing campaigns targeting Cisco VPN endpoints that Cisco had been tracking throughout 2024. The CISA KEV addition with a one-day turnaround indicates the vulnerability was already being actively exploited at the time of advisory publication.

Exploitation Context

Credential stuffing attacks against Cisco RAVPN are perpetually active — large botnet operations continuously probe exposed VPN endpoints with leaked credential databases. CVE-2024-20481 adds a denial-of-service dimension to these attacks: in addition to attempting to gain unauthorized VPN access, the volume of attempts itself now causes a service disruption. This can serve as a distraction attack (disrupting VPN while conducting other operations) or a pure denial-of-service against organizations that depend on VPN for remote work.

Remediation

1. Apply the patch from Cisco Security Advisory cisco-sa-asaftd-bf-dos-vDZhLqrW to all ASA/FTD devices with RAVPN enabled.
2. Enable multi-factor authentication (MFA) for all RAVPN connections — MFA eliminates the effectiveness of credential stuffing even when authentication attempts are high volume.
3. Configure threat detection on the ASA/FTD to rate-limit or block sources generating excessive failed authentication attempts.
4. Implement geographic IP restrictions on RAVPN access where feasible — blocking authentication attempts from regions where no employees are located reduces the volume of credential stuffing traffic.
5. Monitor RAVPN authentication logs for unusual patterns: high volumes of failed attempts, attempts from previously unseen IP ranges, or unusual authentication timing.