CVE-2014-2127

Cisco ASA <9.1.4.3 - Privilege Escalation

Title source: llm

Description

Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.

Exploits (1)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb

View Code ZIP pw:eip

References (1)

[Vendor Advisory] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa

Scores

EPSS 0.3074

EPSS Percentile 96.7%

Details

CWE

CWE-20

Status published

Products (8)

cisco/adaptive_security_appliance_software 8.0

cisco/adaptive_security_appliance_software 8.1

cisco/adaptive_security_appliance_software 8.2

cisco/adaptive_security_appliance_software 8.3\(1\)

cisco/adaptive_security_appliance_software 8.4

cisco/adaptive_security_appliance_software 8.6

cisco/adaptive_security_appliance_software 9.0

cisco/adaptive_security_appliance_software 9.1

Published Apr 10, 2014

Tracked Since Feb 18, 2026