top of page
Writer's pictureAnup Ghosh

CISA Adds Old Cisco VPN Vulnerability Being Exploited by Akira Ransomware Group to KEV List



The Download

If this sounds familiar, there is a reason: CISA issues another directive to Federal agencies to immediately patch a vulnerability in a vendor's VPN code. In this case it is Cisco's AnyConnect VPN available through the Cisco ASA and FTD products. We previously reported on CISA emergency directives on Ivanti's Connect Secure VPN vulnerabilities and Fortinet SSH VPN vulnerabilities being exploited for remote access. By adding CVE-2020-3259 to the Known Exploitable Vulnerability (KEV) list, CISA is requiring Federal agencies to patch a vulnerability in Cisco ASA devices that the Akira ransomware group is actively exploiting.


The vulnerability, CVE-2020-3259, allows remote unauthenticated remote sessions to harvest credentials from the memory of both Cisco ASA and Firepower Threat Defense (FTD) products. CISA noted that the Akira ransomware group has been exploiting this vulnerability of late even though a patch has been available since 2020.


Actions to Take

If you are running Cisco ASA or FTD, you need to determine if you are vulnerable to this attack. If you are, then you need to patch immediately as the Akira ransomware group is actively exploiting the vulnerability. Generally speaking, patch any vulnerability on CISA's KEV list. ThreatMate automatically prioritizes vulnerabilities on the KEV list for remediation.




To learn more see:






12 views
bottom of page