What happened

CISA added CVE-2024-20481 to the Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation against Cisco ASA and FTD appliances CISA KEV. The flaw allows an unauthenticated, remote attacker to cause a denial-of-service against the Remote Access VPN (RAVPN) service on affected devices NVD entry. CISA’s entry identifies the weakness as a “missing release of resource after effective lifetime,” mapping to CWE-772 and explicitly tying impact to RAVPN availability CISA KEV.

Federal agencies are directed to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable, with a remediation due date of 2024-11-14 CISA KEV. The CVE registration is tracked by MITRE and NIST, confirming product scope as Cisco ASA and FTD and impact as service-level denial-of-service MITRE CVE.

Why it matters

RAVPN downtime blocks remote workforce access and interrupts operations, since the attack targets the VPN service rather than user authentication or data paths CISA KEV. Because exploitation is unauthenticated and remote, attack execution has a low barrier and can be triggered without valid credentials NVD entry. KEV inclusion signifies observed exploitation in the wild and elevates prioritization for defenders and FCEB agencies CISA KEV.

Technical detail

The vulnerability is categorized as a missing release of resource after effective lifetime, CWE-772, which implies that allocated resources are not relinquished as expected, enabling exhaustion over time or via crafted input leading to availability loss NVD entry. In this case, the reachable target is the Remote Access VPN (RAVPN) service on Cisco ASA and FTD appliances, and successful exploitation causes a denial-of-service condition for that service CISA KEV. The attack is explicitly described as unauthenticated and remote, meaning a network-adjacent adversary can trigger the fault without VPN credentials or administrative access NVD entry.

CISA’s catalog entry names the affected products as Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), focusing impact specifically on the RAVPN service rather than asserting device-wide failure CISA KEV. The CVE record maintained by MITRE aligns on the vulnerability identifier and vendor, providing canonical tracking for cross-referencing remediation guidance and downstream advisories MITRE CVE.

Defense

• Required action: apply vendor mitigations or discontinue use if mitigations are unavailable, as mandated in the KEV catalog for CVE-2024-20481 CISA KEV.
• Prioritize this item in remediation pipelines due to confirmed exploitation, and meet the 2024-11-14 due date for federal environments where applicable CISA KEV.
• Operationally monitor for RAVPN service instability and user tunnel failures that may indicate ongoing DoS attempts against ASA/FTD gateways, correlating with the availability-focused impact described for this CVE NVD entry.
• Reduce exposure where possible by restricting unsolicited access to the RAVPN service and tightening ingress policies during remediation windows, given the unauthenticated remote attack model NVD entry.

For authoritative tracking and updates, rely on the KEV listing and the NVD/MITRE CVE records while vendor-specific mitigations are applied CISA KEV NVD entry MITRE CVE.

Lyrie Verdict

This is a classic service-exhaustion fault against a public-facing VPN endpoint: unauthenticated, remote, and already exploited, which makes it automation-grade for both attackers and defenders CISA KEV. Lyrie continuously ingests KEV to pre-prioritize internet-exposed targets and applies machine-speed correlation between RAVPN session churn, service health signals, and inbound burst patterns to flag CWE-772–style resource-exhaustion behaviors in near real time NVD entry. We auto-escalate detections tied to KEV CVE-2024-20481 and can orchestrate traffic shunting and containment policies to preserve VPN availability while patching proceeds, aligning response to the confirmed exploitation status and required action timeline CISA KEV.