Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthorized Access and Credential Brute Force in Cisco ASA/FTD Remote Access VPN

IdentifiersCVE-2023-20269CWE-288· Authentication Bypass Using an…

CVE-2023-20269 is an unauthorized access vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw is caused by improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker can exploit the issue by specifying a default connection profile/tunnel group while conducting authentication attempts or while establishing a clientless SSL VPN session using valid credentials. Successful exploitation can enable an unauthenticated remote attacker to perform brute-force attempts to identify valid username and password combinations, and can enable an authenticated remote attacker to establish a clientless SSL VPN session as an unauthorized user. Cisco notes that the issue does not bypass authentication; valid credentials are still required to establish a session, including a valid second factor where MFA is configured. The clientless SSL VPN session impact applies only to Cisco ASA Software Release 9.16 or earlier.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The primary impact is unauthorized access facilitation and credential discovery against exposed Cisco ASA/FTD remote access VPN services. An unauthenticated attacker can use the flaw to brute-force and validate username/password combinations more effectively against the VPN interface. If valid credentials are obtained or already known, an attacker may establish an unauthorized clientless SSL VPN session, limited to Cisco ASA Software Release 9.16 or earlier. This can provide initial access into the victim environment and has been reported as actively exploited in the wild, including by Akira ransomware operators. The vulnerability does not permit authentication bypass by itself and does not enable establishment of a client-based remote access VPN tunnel because the affected default connection profiles/tunnel groups do not and cannot have an IP address pool configured.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, implement Cisco-provided workarounds from the official advisory. Based on the provided content, defensive measures include enforcing MFA for all VPN access, restricting use of the LOCAL user database where possible, using Dynamic Access Policies (DAP), and adjusting vpn-simultaneous-logins settings. More broadly, reduce exposure of clientless SSL VPN where not required, monitor VPN authentication logs for brute-force activity, and limit internet exposure of affected services until patched.

Remediation

Patch, then assume compromise.

Apply Cisco software updates that address CVE-2023-20269. Cisco stated that fixed software releases were to be provided via its official security advisory. Organizations should upgrade affected Cisco ASA and Cisco FTD deployments to a remediated release and verify that remote access VPN configuration no longer exposes the vulnerable AAA behavior. Because the issue has been actively exploited, remediation should be prioritized for internet-exposed VPN gateways.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsFirepower Threat Defenseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
shroudcloudNews
Apr 14, 2026
Akira - ShroudCloud

A Cisco ASA/FTD vulnerability described as a zero-day that allows brute-force attacks against AAA functions without rate limiting, enabling Akira initial access against VPN endpoints lacking MFA.

Read more
sophos threat researchNews
Jan 1, 2026
Akira, again: The ransomware that keeps on taking | SOPHOS

A vulnerability in Cisco ASA VPN infrastructure that Akira actors likely exploited to gain unauthorized remote access VPN access for initial intrusion.

Read more
polyswarmNews
Sep 8, 2025
Recent Ransomware Threats to the Healthcare Vertical

A vulnerability exploited by Akira ransomware to compromise Windows, Linux, and ESXi systems, leading to ransomware deployment in healthcare organizations.

Read more
zeropath blogNews
Aug 14, 2025
Cisco ASA/FTD Remote Access SSL VPN DoS (CVE-2025-20244): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath

A zero-day vulnerability in Cisco ASA/FTD SSL VPN that the content states was actively exploited by ransomware groups.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-20269
NVD
nvd.nist.gov/vuln/detail/CVE-2023-20269
MITRE CWE · CWE-288
Authentication Bypass Using an Alternate Path…
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20269