Ethical Hacking News
Nearly 50,000 Cisco ASA/FTD instances remain exposed to advanced attacks due to persistent vulnerabilities in their software, with national security agencies urging organizations to patch these devices as soon as possible. The vulnerability has been linked to a sophisticated malware campaign and highlights the ongoing threat posed by unpatched technology.
Cisco ASA and FTD devices are vulnerable to two significant bugs, CVE-2025-20333 and CVE-2025-20362. Over 19,000 internet-facing Cisco ASA/FTD instances are at risk, with most located in the US. The vulnerabilities affect various software versions of ASA and FTD devices. Attackers are using malware like RayInitiator and Line Viper to facilitate persistent access. National security agencies have issued advisories warning organizations about the threat posed by these vulnerabilities. Cisco recommends updating detection and remediation procedures, especially for older technology. A 24-hour patching deadline has been set for federal civilian executive branch (FCEB) agencies due to high exploitation likelihood.
Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices remain vulnerable to two significant bugs, CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by "advanced" attackers. The Shadowserver organization reported that as of Monday, more than 19,000 internet-facing Cisco ASA/FTD instances are at risk, with the majority located in the United States.
According to Cisco, the vulnerabilities affect ASA software versions between 9.12 and 9.23, as well as ASA and FTD versions ranging from 7.0 to 7.4 and 7.6 to 7.7. The attackers have been using malware called RayInitiator and Line Viper, which facilitate persistent access to devices and target networks.
The deployment of malware via a persistent bootkit represents a sophisticated evolution in tradecraft compared to the ArcaneDoor campaign. National security agencies such as the UK's NCSC (National Cyber Security Centre) and its equivalents in Canada, France, and the Netherlands issued separate advisories warning organizations about the threat posed by these vulnerabilities.
Cisco has recommended that organizations take note of their detection and remediation procedures, particularly for networks using older technology. The NCSC CTO Ollie Whitehouse stated that end-of-life technology presents a significant risk for organizations, emphasizing the importance of promptly migrating to modern versions of software to address vulnerabilities and strengthen resilience.
The vulnerability catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) contains CVE-2025-20333 with a severity rating of 9.9 and CVE-2025-20362 with a rating of 6.5. The attacks have focused on devices that are no longer supported with security updates or whose support ends in August 2026.
A 24-hour patching deadline has been set for federal civilian executive branch (FCEB) agencies, which is the rarest of warning times given by CISA. This time is used when the likelihood of exploitation is especially high and an "unacceptable risk" to government systems would be introduced if patches are not applied.
The successful attacks seen so far are highly likely launched by those behind the ArcaneDoor attack campaign. The attackers have been using zero-days, which were previously exploited in 2024.
CISA has advised that failing to patch affected devices introduces an "unacceptable risk" to government systems and has urged organizations to follow vendor best practices and engage with the NCSC's malware analysis report to assist with their investigations.
This vulnerability highlights the ongoing threat posed by unpatched technology, particularly in end-of-life devices. Organizations must prioritize the timely application of security patches to prevent such attacks from succeeding. The deployment of RayInitiator and Line Viper malware underscores the growing sophistication of cyber threats and the need for effective cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Firewalls-Expose-50K-Devices-to-Advanced-Attacks-Due-to-Persistent-Vulnerabilities-ehn.shtml
Published: Tue Sep 30 12:40:44 2025 by llama3.2 3B Q4_K_M
