Actively Exploited 0-Day Vulnerability Impacts Cisco Firewalls

Estimated reading time: 7 minutes

Key Takeaways:

  • Cisco ASA and FTD firewalls are affected by actively exploited zero-day vulnerabilities.
  • Over 48,000 devices are potentially at risk.
  • Immediate patching and security measures are crucial.

Table of Contents:

Cisco has recently confirmed the presence of two actively exploited zero-day vulnerabilities affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. This situation, impacting over 48,000 devices, poses a risk to network defenses and requires immediate attention.

Actively exploited Cisco firewall vulnerability

Understanding the Vulnerabilities

The two vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, allow attackers to execute arbitrary code on affected devices. Cisco has issued security advisories indicating that exploits for both vulnerabilities are already in use.

  • CVE-2025-20333: Allows remote code execution, granting full operating system control. This vulnerability requires network access to the management interface.
  • CVE-2025-20362: Enables privilege escalation and command injection, requiring valid user credentials.

The severity of these vulnerabilities is reflected in their CVSS 3.1 scores: 9.8 for CVE-2025-20333 and 9.1 for CVE-2025-20362. These scores indicate the potential for significant damage, including bypassing perimeter security, data theft, and lateral movement within corporate networks.

Scope of the Impact

As of September 29, 2025, Shadowserver’s daily vulnerable HTTP report indicated that over 48,800 publicly reachable IP addresses were running outdated firewall versions and were therefore susceptible to these vulnerabilities. The United States tops the list of exposed hosts, followed by Germany, Brazil, India, and the United Kingdom.

The vulnerabilities affect Cisco ASA and FTD devices running software versions through 9.18.1.17. Organizations using legacy ASA models or those that have not applied recent maintenance releases are at increased risk.

Technical Analysis

The root cause of these vulnerabilities lies in inadequate input validation and memory handling routines within the affected ASA and FTD software. Cisco’s patches address these issues by implementing stricter validation and fixing memory management processes.

The attack vector for CVE-2025-20333 involves exploiting the management interface, emphasizing the importance of restricting access to this interface to trusted IP addresses only. For CVE-2025-20362, the requirement of valid user credentials highlights the necessity of strong password policies and multi-factor authentication.

The ease with which these vulnerabilities can be exploited makes them especially dangerous. The ability to run arbitrary code or escalate privileges can give attackers control over affected firewalls, allowing them to bypass security measures and gain access to sensitive data or internal networks.

Practical Takeaways

  • Immediate Patching: Update ASA/FTD software to Maintenance Release 9.18.1.18 or later.
  • Management Access Restrictions: Limit web and API access to ASA/FTD interfaces to trusted IPs.
  • Credential Hardening: Enforce multi-factor authentication and strong passwords for firewall admin accounts.
  • Log Monitoring: Watch for unusual admin logins, configuration changes, or traffic patterns.
  • Network Segmentation: Isolate critical assets behind additional layers of security.
  • Subscribe to threat intelligence: Subscribe to daily updates and cross-check public IP ranges against threat lists.
  • Patch Management: Establish rapid patch processes to mitigate risks.

Recent Cyber Security Events: Allianz Life Data Breach

In July, Allianz Life experienced a data breach that impacted nearly 1.5 million individuals, with names, addresses, dates of birth, and social security numbers compromised. The breach occurred due to unauthorized access to a third-party cloud-based Customer Relationship Management (CRM) system. A similar incident involved the abuse of Extended Validation (EV) code-signing certificates, where hackers signed undetectable disk image (DMG) payloads, allowing them to bypass security checks. These incidents underscore the importance of supply-chain risk monitoring and securing third-party relationships.

Several other cybersecurity incidents have been reported recently, reflecting the ongoing challenges faced by organizations:

  • VMware Zero-Day Vulnerability: A critical zero-day local privilege escalation (CVE-2025-41244) in VMware Tools and VMware Aria Operations is actively exploited, allowing unprivileged local users to gain root-level code execution.
  • Detour Dog DNS Malware: A stealthy DNS malware campaign uses DNS TXT records for command and control, infecting thousands of websites.
  • Malicious DMG Malware: Hackers are abusing EV Certificates to sign completely undetectable DMG Malware.

These incidents highlight the need for comprehensive cyber threat intelligence, breach detection capabilities, and a proactive approach to security. Organizations should consider implementing solutions such as a cyber threat intelligence platform, real-time ransomware intelligence feeds, and dark web monitoring services to enhance their security posture.

Relevance to PurpleOps Services

PurpleOps provides a range of services that can help organizations address the risks associated with these vulnerabilities and broader cybersecurity threats.

  • Cyber Threat Intelligence: PurpleOps offers comprehensive cyber threat intelligence services, including underground forum intelligence and telegram threat monitoring, to provide organizations with early warnings about emerging threats and vulnerabilities. This intelligence can be used to proactively identify and mitigate risks before they are exploited.
  • Breach Detection: PurpleOps’s breach detection capabilities can help organizations identify and respond to security incidents quickly and effectively. By monitoring network traffic, system logs, and user behavior, PurpleOps can detect malicious activity and alert security teams to potential breaches.
  • Supply Chain Risk Monitoring: PurpleOps offers supply chain risk monitoring services to help organizations assess and manage the security risks associated with their vendors and partners. This includes identifying vulnerabilities in third-party systems and monitoring the dark web for mentions of compromised credentials or data leaks.
  • Red Team Operations and Penetration Testing: PurpleOps’s red team operations and penetration testing services can help organizations identify and address vulnerabilities in their systems and networks. By simulating real-world attacks, PurpleOps can help organizations understand their security posture and prioritize remediation efforts.
  • Dark Web Monitoring: The dark web monitoring service PurpleOps provides offers brand leak alerting that helps companies protect their external assets.

By leveraging these services, organizations can improve their ability to detect, respond to, and prevent cyberattacks. The live ransomware API offered by PurpleOps provides real-time data that can be integrated into existing security systems to enhance threat detection and response capabilities.

For more information about how PurpleOps can help your organization improve its cybersecurity posture, please explore our platform or contact us for a consultation.

FAQ

Q: What are the affected Cisco products?

A: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls.

Q: What is the immediate action I should take?

A: Update ASA/FTD software to Maintenance Release 9.18.1.18 or later.

Q: What are the CVSS scores for these vulnerabilities?

A: 9.8 for CVE-2025-20333 and 9.1 for CVE-2025-20362.