Threats / Cisco / CVE-2023-20269
CVE-2023-20269
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Cisco Adaptive Security Appliance and Firepower Threat Defen vulnerability
Cisco ASA and FTD contain an authentication bypass vulnerability allowing unauthenticated remote attackers to conduct brute force attacks against VPN credentials or establish unauthorized clientless SSL VPN sessions.
Verdict
Today item, not a backlog item.
An unauthenticated remote attacker can exploit weak authentication controls to brute force valid credentials or bypass authentication entirely, gaining unauthorized VPN access to protected networks. Active exploitation and ransomware deployment have been observed.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
54 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-09-13), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.21583 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Cisco, Adaptive Security Appliance and Firepower Threat Defense. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-288 Auth Bypass via Alternate Path — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAkira Ransomware
The #StopRansomware joint advisory AA24-109A reports that Akira ransomware affiliates gain initial access through Cisco VPN appliances lacking MFA, naming the group and the Cisco ASA/FTD CVEs they exploit to do so.11
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I probe the VPN endpoint to identify it as a Cisco ASA or FTD device without requiring authentication.
Business
Perimeter security controls fail to prevent reconnaissance of critical access points.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I conduct brute force attacks against VPN credentials or exploit the authentication bypass to establish a clientless SSL VPN session without valid credentials.
Business
Attackers gain direct network access, bypassing multi-factor authentication and access controls.
3
Lateral reach — past segmentation narrative 3
Attacker
I establish a persistent presence inside the network to conduct lateral movement and deploy ransomware or exfiltrate sensitive data.
Business
Ransomware campaigns and data breaches compromise business continuity, customer trust, and regulatory compliance.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05