Cisco ASA Firewalls Under Active Attack from Zero-Day Exploits
▼ Summary
– Cisco is warning customers to patch two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) impacting its firewall software.
– The first vulnerability allows authenticated attackers to execute arbitrary code, while the second lets unauthenticated attackers access restricted URLs.
– Cisco has released security patches and strongly recommends that customers upgrade their software to a fixed release to remediate these flaws.
– The company also patched a third critical vulnerability (CVE-2025-20363) that could allow unauthenticated remote code execution, though it was not directly linked to the ongoing attacks.
– These patches follow recent large-scale reconnaissance campaigns targeting Cisco devices, which often precede the disclosure of new vulnerabilities.
Cisco has issued an urgent security alert, advising customers to immediately patch two zero-day vulnerabilities that are currently being exploited in the wild. These critical flaws affect the company’s widely deployed Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. The first vulnerability, tracked as CVE-2025-20333, permits authenticated, remote attackers to execute arbitrary code on vulnerable systems. The second, identified as CVE-2025-20362, allows unauthenticated attackers to gain access to restricted URL endpoints. Cisco confirmed its Product Security Incident Response Team is aware of active exploitation attempts and strongly urges administrators to upgrade to a fixed software release without delay.
The company acknowledged the assistance of several international cybersecurity agencies in investigating these threats, including the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre, and the U.S. Cybersecurity and Infrastructure Security Agency. In the same security update, Cisco also addressed a third critical vulnerability, CVE-2025-20363, which affects both firewall and Cisco IOS software. This flaw could allow unauthenticated attackers to remotely execute arbitrary code, though Cisco has not directly linked it to the ongoing attacks.
This latest warning follows recent observations from cybersecurity firm GreyNoise, which detected two large-scale reconnaissance campaigns in late August. These campaigns involved up to 25,000 unique IP addresses targeting ASA login portals and Cisco IOS Telnet/SSH services exposed online. Historically, such widespread scanning activity has often preceded the public disclosure of new security vulnerabilities. Earlier this week, Cisco also released patches for a high-severity zero-day flaw in its IOS and IOS XE software, which is similarly under active exploitation. This pattern of critical vulnerabilities follows a May warning about a maximum severity flaw in IOS XE software for Wireless LAN Controllers that enabled complete remote device takeover.
(Source: Bleeping Computer)
