A 2020 bug leaked VPN passwords. The orgs that survived had MFA.

CVE-2020-3259 was patched in May 2020. Cisco shipped the fix, the advisory went out, and the bug faded into the back catalog. Then in late 2023 and early 2024, incident responders kept finding it at the start of Akira ransomware intrusions. Truesec’s CSIRT analyzed eight Akira cases where a Cisco AnyConnect SSL VPN was the confirmed entry point and found that at least six of the appliances were running versions vulnerable to this four-year-old flaw, and later confirmed Akira had a working exploit. CISA added it to the Known Exploited Vulnerabilities catalog on February 15, 2024, with a March 7 deadline and the ransomware flag.

The detail that should change your VPN hardening priorities isn’t the bug. It’s what separated the organizations this hurt from the ones it didn’t.

What the bug does

CVE-2020-3259 is an information-disclosure vulnerability (CWE-200), CVSS 7.5, in the web services interface of Cisco ASA and FTD. A buffer-tracking error when the software parses invalid URLs lets an unauthenticated remote attacker send crafted GET requests and read back chunks of device memory. It affects specific AnyConnect and WebVPN configurations, on ASA 9.8 through 9.13 and FTD 6.2.3 through 6.5, before the patched builds.

“Read chunks of device memory” sounds abstract until you consider what’s in a VPN appliance’s memory: session data and, critically, credentials, sometimes in cleartext. An attacker who scrapes enough memory can recover a valid VPN username and password. From there they don’t need an exploit to get in. They just log in, through the front door, with real credentials, to a remote-access VPN that brokers access to the internal network. That’s why a “read-only” CVE became a ransomware initial-access vector.

A note on certainty: Cisco’s position has been more cautious than the headlines, and CVE-2020-3259 was not always provable as the exact entry in every Akira case. The broader Akira-versus-Cisco-ASA campaign also leaned on password spraying and brute force against VPNs. But Truesec demonstrated a working exploit for this specific bug, and Cisco PSIRT acknowledged renewed exploitation attempts in 2024. Whether by leaked credentials or sprayed ones, the campaign’s victims shared a pattern, and the pattern points straight at the fix that matters most.

The control that actually decided outcomes

The common thread across the Akira-into-ASA intrusions was remote-access VPNs without multi-factor authentication. That’s the whole game. A credential-disclosure bug like CVE-2020-3259 hands the attacker a username and password. Password spraying hands them a username and password. Both are defeated by the same control: if logging in requires a second factor the attacker doesn’t have, a leaked or guessed password is not enough to get in.

This reframes how to think about an entire class of VPN vulnerabilities. Bugs that leak credentials are common on perimeter devices, and you can’t prevent every one of them. What you can do is make a leaked credential insufficient on its own. MFA on remote access turns a credential-disclosure flaw from “initial access for ransomware” into “an attacker has a password that doesn’t work.” It’s the control that survives the bug you didn’t patch in time.

What to do

• Patch ASA/FTD to a fixed build. CVE-2020-3259 was fixed in 2020; if your appliances are still on the vulnerable 9.8 through 9.13 or FTD 6.2.3 through 6.5 ranges, you are years behind on an actively-exploited, ransomware-associated flaw. Get current.
• Require MFA on every remote-access VPN, no exceptions. This is the highest-leverage action here. If any AnyConnect or SSL VPN profile still allows password-only login, that’s the gap Akira drives through. Phishing-resistant factors are better, but any well-implemented MFA beats none.
• Rotate VPN and local credentials if you ran exposed, unpatched appliances. A memory-disclosure bug means the secrets in memory may already be out. Treat credentials that lived on an exposed ASA as potentially compromised, and reset them, especially any that aren’t behind MFA.
• Reduce the VPN’s attack surface. Restrict management interfaces, disable WebVPN/AnyConnect features you don’t use, and limit which networks can even reach the appliance’s web services. The memory-read bug is only reachable if an attacker can hit that interface.
• Watch for the login that shouldn’t be. Successful VPN authentications from unusual geographies, impossible-travel patterns, or new devices are the signal that a credential is being used by someone who shouldn’t have it. MFA prevents most of these; alerting catches the rest.

The reframe

It’s tempting to file this as another “patch your old Cisco gear” story, and you should patch it. But the more durable lesson is about layering. Perimeter devices will keep shipping credential-disclosure bugs, and you will not patch all of them before someone tries. The organizations that came through the Akira-ASA campaign intact weren’t the ones with a flawless patch record; they were the ones where a stolen password hit a second factor and stopped. Patch CVE-2020-3259, and then make sure that the next credential leak, from whatever the next bug turns out to be, lands on a login that demands something the attacker can’t steal from memory. We track these VPN and gateway entries closely, because the perimeter is where ransomware keeps finding its way in, and MFA is the cheapest insurance against the bugs you’ll inevitably miss.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2020-3259 — 2020-05-06
• Cisco Security Advisory: ASA/FTD information disclosure (cisco-sa-asaftd-info-disclose-9eJtycMB) — 2020-05
• Truesec: Akira ransomware and exploitation of Cisco AnyConnect (CVE-2020-3259) — 2024
• Truesec: Akira and Cisco AnyConnect, the working exploit for CVE-2020-3259 — 2024
• SecurityWeek: CISA urges patching of Cisco ASA flaw exploited in ransomware attacks — 2024-02