Ethical Hacking News
Nearly 50,000 Cisco firewalls are currently vulnerable to exploitation due to two severe security issues. Organizations relying on these systems must take immediate action to address the risks associated with these vulnerabilities and prevent potential data breaches.
Cisco has announced that nearly 50,000 of its firewalls are vulnerable to actively exploited flaws. The vulnerabilities enable arbitrary code execution and access to restricted URL endpoints associated with VPN access. The exploitation of these vulnerabilities started before patches were made available for customers. Over 48,800 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances were exposed on the public web. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to address the issue. Devices reaching their end-of-support should be disconnected from federal organization networks by the end of September 2025. Threat monitoring services have reported nearly 48,800 vulnerable instances on the public web. The risks associated with these vulnerabilities are deemed severe by security experts.
Cisco has announced that nearly 50,000 of its firewalls are vulnerable to actively exploited flaws. The vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, enable arbitrary code execution and access to restricted URL endpoints associated with VPN access. Both security issues can be exploited remotely without authentication.
The flaws were first discovered by Cisco's own internal scanning tools and reported on September 25, 2025, indicating that the exploitation of these vulnerabilities started before patches were made available for customers. This highlights the speed at which threats can spread and exploit vulnerabilities in a software system, leading to significant security risks for organizations relying on these firewalls.
The impact of this vulnerability is widespread as over 48,800 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances were exposed on the public web. This includes devices located in various parts of the world, with a high concentration in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, took swift action to address this issue. It issued an emergency directive, compelling all Federal Civilian Executive Branch agencies to identify any compromised ASA and FTD instances on their networks and upgrade those that would remain in service.
Furthermore, CISA advised that devices reaching their end-of-support (EoS) should be disconnected from federal organization networks by the end of September 2025. This advice is aimed at minimizing downtime while ensuring the security of these critical systems.
Threat monitoring services like The Shadowserver Foundation have been tracking this vulnerability, and according to their reports, nearly 48,800 vulnerable ASA and FTD instances were discovered on the public web as of September 29, 2025. This highlights a lack of response from organizations affected by this vulnerability, indicating that more needs to be done to address such threats.
Moreover, Greynoise had warned earlier about suspicious scans targeting Cisco ASA devices in late August. These scans are indicative of upcoming undocumented flaws in targeted products and demonstrate the proactive need for cybersecurity awareness.
The risks associated with these two vulnerabilities are deemed severe by security experts. Given that exploitation began before patches were available, there's a high risk that malicious actors could leverage these vulnerabilities to carry out devastating attacks on systems relying on Cisco firewalls.
Notably, hackers used shellcode loader malware named 'Line Viper' followed by a GRUB bootkit named 'RayInitiator.' This detailed analysis shows the complexity and sophistication of modern cyber threats. Given this information, organizations are urged to apply Cisco's recommendations for CVE-2025-20333 and CVE-2025-20362 as soon as possible.
While there's no workaround for these vulnerabilities, temporary measures like restricting VPN web interface exposure and increasing logging and monitoring for suspicious VPN logins and crafted HTTP requests can provide a degree of protection until patches are available.
The severity of this vulnerability underscores the importance of proactive cybersecurity strategies. Organizations must be vigilant in their response to emerging threats like these and take immediate action to address vulnerabilities in their systems.
In conclusion, nearly 50,000 Cisco firewalls have been left vulnerable due to actively exploited flaws. This highlights the rapid pace at which threats can spread and exploit vulnerabilities in software. The severity of this issue demands swift action from organizations relying on these systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Nearly-50000-Cisco-Firewalls-Left-Vulnerable-to-Exploitation-Due-to-Critically-Flawed-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/nearly-50-000-cisco-firewalls-vulnerable-to-actively-exploited-flaws/
https://nvd.nist.gov/vuln/detail/CVE-2025-20333
https://www.cvedetails.com/cve/CVE-2025-20333/
https://nvd.nist.gov/vuln/detail/CVE-2025-20362
https://www.cvedetails.com/cve/CVE-2025-20362/
Published: Tue Sep 30 12:12:34 2025 by llama3.2 3B Q4_K_M
