Re: Cisco ASDM force Certificate check

Sebastian.Seine1 · ‎10-14-2025

Hello everyone,
we are using the Cisco ASDM-IDM Launcher v1.9(9). When the Launcher connects to a system with a self-signed SSL certificate, we do not receive any warning messages. Additionally, I cannot view or verify the SSL state in the Cisco ASDM-IDM Launcher.

I believe this could pose a security risk, as it might allow man-in-the-middle attacks to intercept usernames and passwords from administrators.

Is there any way or option to activate certificate validation and receive a warning if a self-signed certificate is being used or if the certificate has been changed?

Regards

Sebastian

jimy966brown · ‎10-16-2025

Hello
,It does not display warnings when connecting to devices using self-signed SSL certificates.There is no visible SSL status within the launcher itself.This behavior can pose a security risk because administrators could unknowingly connect to a compromised or malicious device (MITM attack), especially in environments with self-signed certificates. Myccpay

Sebastian.Seine1 · ‎10-16-2025

Hello,
I fully agree. Even though a signed certificate has been created for the system, it doesn’t mitigate the underlying risk. Anyone using a self-signed certificate could still perform a man-in-the-middle (MITM) attack to intercept administrator credentials.

Before establishing a connection, the browser validation step is essential to ensure the certificate chain is trusted and the connection is properly secured. Only after confirming that the SSL/TLS connection behaves as expected should the system be accessed.

In my opinion, this represents a potential security vulnerability that should be addressed.

Marvin Rhoads · ‎10-18-2025

As a Java applet, the certificate validation warning (or lack thereof) when launching ASDM is taken from the security settings of your computer's Java installation. Look in your Java Control Panel, Security tab to modify that behavior.

Sebastian.Seine1 · ‎10-19-2025

@Marvin Rhoads ,

I'm using asdm-openjre Version and there is no Java Installation or Java Control Panel with Security tab on my PC. It is a part of the ASDM-IDM Launcher installation by self.
So there is no chance to change that settings.

Marvin Rhoads · ‎10-20-2025

In the case of OpenJRE, the settings are not exposed via a GUI like the Java Control Panel. However, they should be accessible via configuration file - e.g., C:\Program Files (x86)\Cisco Systems\ASDM\jre\lib\security\java.securit.

However, I would suggest that if there is a real danger of MITM attacks on your internal network administration, that you have a much bigger problem than Java settings.

Sebastian.Seine1 · ‎10-27-2025

Hello Marvin,

The java.security settings are set to default.
Therefore, there should be a warning, but currently, no warning is displayed. Changing the settings seems to have no effect.

Of course, MITM (Man-in-the-Middle) attacks on internal networks are a much bigger problem than Java settings. However, when your network is under attack, the first step an attacker often takes is to escalate their privileges. Gaining access to firewalls and other infrastructure devices is one of the key steps to compromising the entire infrastructure.

During one of our fire drills and security assessments, we identified this issue.

Marvin Rhoads · ‎10-27-2025

I would enter it in a risk register and score it appropriately.

One long term mitigation would be to move off the ASA platform to FTD with a modern web UI that can be secured with a trusted certificate. In that case, your browser's certificate checking would govern the session establishment.