CVE-2020-3125: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2020-3125) was discovered in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software. The vulnerability, disclosed on May 6, 2020, allows an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on affected devices configured for Kerberos authentication for VPN or local device access (Cisco Advisory, SecurityWeek).

The vulnerability stems from insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. The vulnerability has been assigned a high severity rating with CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and affects multiple versions of Cisco ASA Software, including versions 9.8 through 9.13 (NVD, The Register).

If successfully exploited, this vulnerability allows attackers to bypass authentication mechanisms on affected devices, potentially gaining unauthorized access to VPN or local device resources. This is particularly concerning for organizations using Kerberos authentication for secure access control (The Register).

Cisco has released software updates to address this vulnerability in ASA Software Releases 9.6.4.40, 9.8.4.15, 9.9.2.66, 9.10.1.37, 9.12.3.2, and 9.13.1.7. No workarounds are available for this vulnerability, making it critical for affected organizations to apply the provided patches (Cisco Advisory).