CVE-2014-3389
Description
Cisco ASA VPN tunnel filter bypass allows remote authenticated users to gain failover-unit access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco ASA VPN tunnel filter bypass allows remote authenticated users to gain failover-unit access.
Vulnerability
The VPN implementation in Cisco ASA Software versions 7.2 before 7.2(5.15), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.6), and 9.3 before 9.3(1.1) fails to properly implement a tunnel filter. This flaw allows crafted packets to bypass intended access controls [1]. The vulnerability is present when the device is configured to terminate IKEv1 or IKEv2 VPN connections, including LAN-to-LAN, Remote Access IPSec, and L2TP over IPSec VPNs; Clientless or AnyConnect SSL VPNs are not affected [1].
Exploitation
An attacker must be a remote authenticated VPN user. By sending specially crafted packets through the VPN tunnel, the attacker can trigger the tunnel filter bypass. No additional privileges or local access are required beyond authenticated VPN connectivity [1]. The exploit does not require user interaction from other parties.
Impact
Successful exploitation enables the attacker to obtain failover-unit access on the affected Cisco ASA device. This can lead to unauthorized access to sensitive network segments or resources that should be restricted by the tunnel filter, potentially compromising confidentiality and integrity of network traffic [1].
Mitigation
Cisco has released fixed software versions: 7.2(5.15), 8.2(5.51), 8.3(2.42), 8.4(7.23), 8.6(1.15), 9.0(4.24), 9.1(5.12), 9.2(2.6), and 9.3(1.1) [1]. Administrators should upgrade to these or later versions. There is no known workaround for this vulnerability. The issue is tracked as Bug ID CSCuq28582 [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:a:cisco:asa:7.2.5:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:a:cisco:asa:7.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:7.2.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.26:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.33:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.41:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.46:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.48:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.2.5.49:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.3:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.3.2.25:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:8.6:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:asa:9.3:*:*:*:*:*:*:*
- Range: >= 7.2, < 7.2(5.15); >= 8.2, < 8.2(5.51); >= 8.3, < 8.3(2.42); >= 8.4, < 8.4(7.23); >= 8.6, < 8.6(1.15); >= 9.0, < 9.0(4.24); >= 9.1, < 9.1(5.12); >= 9.2, < 9.2(2.6); >= 9.3, < 9.3(1.1)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.