Cisco just disclosed a security vulnerability in their Adaptive Security Appliance that starts with…
A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional attacks.
The vulnerability occurs because the Cisco ASA does not sufficiently protect sensitive data during a Cisco AnyConnect client authentication attempt. An attacker could exploit the vulnerability by attempting to authenticate to the Cisco ASA with AnyConnect.
The disclosure page goes on to say..
Workarounds are not available.
Cisco AnyConnect, as you may know already – is a secure mobility client that is typically used by organizations to facilitate connections into the internal network by their remote workforce.
But, it also says…
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Whew…for a minute there, I was wondering why it was disclosed as a Medium risk vulnerability.