Cisco patches a perfect 10.0 ‘critical’ flaw in its popular security appliance

The company says two popular enterprise products have vulnerabilities that could allow an unauthenticated, remote attacker to execute code or cause a system reload.
(Praytino / Flickr)

Cisco announced Monday a critical vulnerability in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software that allows an unauthenticated, remote attacker to execute code or cause a system reload.

The flaw got a perfect 10.0 on the Common Vulnerability Scoring System — a global standard run by the industry group FIRST — topping out as the highest warning possible.

The affected products are popular tools for protecting corporate networks and data centers. Users are urged to apply security updates that fix the issue.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device,” Cisco explained in the Monday announcement. “An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”


The vulnerability was found by Cedric Halbronn from the NCC Group. Halbronn is giving a talk about the vulnerability on Feb. 2 in Brussels at the REcon security conference.

There appears to have been some advanced public knowledge of the vulnerability before the announcement was made, according to Cisco, but the company “is not aware of any malicious use of the vulnerability.”

You can read Cisco’s full announcement and the technical writeup here.

Latest Podcasts