The unlocked side door on your Cisco VPN was the default group nobody configured

CVE-2023-20269 is the other half of the Cisco ASA story that fed Akira and LockBit ransomware in 2023, and where the CitrixBleed-style credential leak in CVE-2020-3259 handed attackers passwords, this one handed them the door to use them. Cisco’s advisory describes a flaw in the remote-access VPN feature that lets an unauthenticated attacker brute-force valid username and password combinations, and lets an attacker with valid credentials establish an unauthorized clientless SSL VPN session. Both vectors route through the same overlooked place: the default connection profiles and group policy that ship on the device and that most administrators never lock down. NVD scores it 9.1; Cisco scores it 5.0. The ransomware crews that used it for initial access didn’t care about the number.

What the bug is

The root cause is improper separation of authentication, authorization, and accounting (AAA) between the remote-access VPN feature and the HTTPS management and site-to-site VPN features. In practice, an attacker specifies a default connection profile or tunnel group (the DefaultADMINGroup or DefaultL2LGroup) when conducting a brute-force attack or when establishing a session, and the improper separation lets that work where it shouldn’t. It affects ASA and FTD, with ASA 9.16 and earlier among the impacted releases, and CISA added it to the Known Exploited Vulnerabilities catalog on September 13, 2023, with an October 4 deadline and the ransomware flag.

One thing the advisory makes explicit and worth repeating: valid credentials are still required to actually establish a VPN session, and the flaw does not bypass MFA. Where multi-factor authentication was enforced, the brute-force vector becomes a dead end. Arctic Wolf’s investigations into the Akira intrusions through Cisco VPNs found the common denominator was, again, no MFA.

The lesson: your VPN defaults are attack surface

The reason this is worth a separate look from the credential-leak bug is the mechanism. CVE-2023-20269 didn’t exploit something exotic; it exploited the configuration that came in the box. Default connection profiles, the default group policy (DfltGrpPolicy), and the absence of lockout and MFA enforcement are all things that exist on the appliance from day one and that a lot of deployments never revisit. The attackers went looking for exactly those defaults because they’re predictable and present everywhere.

That generalizes. On any access device, the settings you never touched are the ones an attacker can assume are still in their default state, and default states tend to favor “it works out of the box” over “it’s locked down.” Hardening the defaults is unglamorous and it’s precisely where this class of bug lives.

What to do

• Patch ASA/FTD to a fixed release. Cisco shipped updates; get current. The patch addresses the AAA-separation flaw directly.
• Lock down the default groups. Cisco’s mitigation guidance is specific and worth applying even after patching, as defense in depth: use Dynamic Access Policies (DAP) to terminate VPN tunnels that use DefaultADMINGroup or DefaultL2LGroup, and set vpn-simultaneous-logins for DfltGrpPolicy to 0 so the default group policy can’t be used to establish a session.
• Enforce MFA on remote-access VPN. This is the control that breaks both the brute-force vector here and the credential-replay vector in the related ASA bugs. If any tunnel group still allows password-only login, that’s the gap.
• Add brute-force defenses. Enable login lockout/throttling and alert on bursts of failed VPN authentications, which is the visible signature of the brute-force vector.
• Audit your tunnel groups and connection profiles. Confirm you know every profile that exists, that none rely on default settings, and that the ones you don’t use are disabled. The fewer default-state entry points, the smaller the target.

The reframe is short. Two of the bugs that fed the same ransomware campaign against Cisco VPNs in 2023 succeeded not because the appliances were exotic but because their defaults were untouched and their logins were single-factor. Patch CVE-2023-20269, then spend an hour on the configuration that came with the box: lock the default groups, turn on MFA, and make brute force noisy and slow. The vulnerability is Cisco’s to fix; the default configuration that made it useful was the operator’s to harden. We track these VPN entries closely because the perimeter is where ransomware keeps getting in, and the defaults are where it keeps finding room.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-20269 — 2023-09-06
• Cisco Security Advisory: ASA/FTD remote access VPN unauthorized access (cisco-sa-asaftd-ravpn-auth-8LyfCkeC) — 2023-09
• Tenable: CVE-2023-20269 zero-day in Cisco ASA and FTD reportedly exploited by ransomware groups — 2023-09
• Arctic Wolf: CVE-2023-20269 Cisco ASA/Firepower VPN zero-day — 2023-09