Urgent: 50,000 Cisco Firewalls at Risk From Active Attacks
▼ Summary
– Approximately 50,000 Cisco ASA and FTD appliances are exposed online and vulnerable to two actively exploited flaws, CVE-2025-20333 and CVE-2025-20362.
– These vulnerabilities allow remote code execution and unauthorized VPN endpoint access without requiring authentication from attackers.
– The U.S. CISA issued an emergency directive requiring federal agencies to identify and patch affected devices within 24 hours due to the severe risks.
– Over 48,800 vulnerable instances were found globally, with the majority in the United States, indicating a slow response to patching despite active exploitation.
– Attackers have deployed malware such as ‘Line Viper’ and ‘RayInitiator,’ and administrators are urged to apply Cisco’s security updates immediately.
A significant security crisis is unfolding as attackers actively exploit vulnerabilities in approximately 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) units connected to the internet. These critical flaws, identified as CVE-2025-20333 and CVE-2025-20362, allow unauthorized individuals to run arbitrary code and access restricted VPN-related URL endpoints remotely, all without needing any form of authentication. Cisco issued a public alert on September 25, confirming that malicious exploitation began even before the company could distribute security patches to its customers.
Currently, no direct workarounds exist to eliminate these threats entirely. However, organizations can implement temporary protective measures. These include limiting the public exposure of VPN web interfaces and enhancing system monitoring to detect unusual VPN login attempts or specially crafted HTTP requests that could signal an attack.
Recent data from the threat monitoring service Shadowserver Foundation reveals a troubling situation. Their scans identified over 48,800 internet-facing ASA and FTD instances that remain susceptible to these vulnerabilities. The majority of these exposed IP addresses are located in the United States, accounting for more than 19,200 endpoints. Other significantly affected countries include the United Kingdom with 2,800, Japan with 2,300, Germany with 2,200, Russia with 2,100, Canada with 1,500, and Denmark with 1,200. These figures, current as of September 29, highlight a widespread failure to apply necessary patches despite ongoing exploitation and repeated security warnings.
The urgency of the situation was foreshadowed earlier. On September 4, Greynoise reported observing suspicious scanning activity targeting Cisco ASA devices that started in late August. Such scans often precede the discovery and exploitation of undocumented security flaws, occurring in roughly 80% of similar cases.
The severity of these vulnerabilities prompted an immediate response from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA issued an emergency directive, giving all Federal Civilian Executive Branch agencies a strict 24-hour window to identify any compromised Cisco ASA and FTD systems on their networks and to upgrade any devices that would continue in service. The directive also mandated that federal organizations disconnect any ASA devices that have reached their end-of-support date by the end of the month.
Further analysis from the U.K.’s National Cyber Security Centre (NCSC) provided deeper insight into the attack methods. The hackers have been deploying a shellcode loader malware known as ‘Line Viper,’ which is then used to install a persistent GRUB bootkit called ‘RayInitiator.’
With active attacks continuing for over a week, system administrators are strongly urged to act without delay. Applying the security updates and following the mitigation guidance provided by Cisco for CVE-2025-20333 and CVE-2025-20362 is the most critical step to secure vulnerable network infrastructure.
(Source: Bleeping Computer)
