Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software allow an unauthenticated remote attacker to conduct cross-site scripting (XSS) attacks against a user of the device’s web services interface. The issues are caused by insufficient validation of user-supplied input in the web services interface. Exploitation requires persuading a user to click a crafted link, resulting in execution of arbitrary script in the context of the interface and/or access to sensitive browser-based information. The vulnerabilities affect only specific AnyConnect and WebVPN configurations.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a single HTML file ('xss.html') that demonstrates a proof-of-concept (POC) exploit for a cross-site scripting (XSS) vulnerability in a SAML endpoint, likely targeting Cisco web applications. The file constructs a form that submits a crafted SAMLResponse parameter containing an XSS payload ('"><svg/onload=alert('XSS')>') to the endpoint 'https://domain/+CSCOE+/saml/sp/acs?tgname=a'. The form is automatically submitted via JavaScript, simulating an attack scenario where a vulnerable server would process the malicious SAMLResponse and execute the injected JavaScript. The exploit is a POC and does not include advanced payloads or automation, but clearly demonstrates the vulnerability and its impact.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in Cisco ASA and FTD devices exploited for initial access by the Akira ransomware group.
A Cisco product vulnerability (XSS) listed among CVEs leveraged by Akira ransomware actors for initial access through internet-facing services.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.