Vulnerabilities in Cisco Secure Firewall ASA and FTD actively exploited
Cisco released security updates for vulnerabilities in Cisco Secure Firewall ASA and FTD. The vulnerabilities CVE-2025-20333 - CVSS (v3) 9.9, CVE-2025-20363 - CVSS (v3) 9.0 and CVE-2025-20362 - CVSS (v3) 6.5 are currently being actively exploited on unpatched systems.
T-Update
This live blog contains information about vulnerabilities in Cisco Secure Firewall ASA and FTD. Cisco has released security updates to address this vulnerability.
The following CVEs are affected:
CVE-2025-20333 – Remote CodeExecution (CVSS 9.9)
CVE-2025-20362 – UnauthorizedAccess (CVSS 6.5)
CVE-2025-20363 – Remote CodeExecution (CVSS 9.8)
Active exploitation
Cisco and the NCSC confirm that attempted exploits have been observed. Although no public exploit is yet available, the NCSC expects one to be released shortly, increasing the risk of large-scale attacks. Our analysis shows that the vulnerabilities are currently being actively exploited and are linked to malware.
Our analysis shows that the vulnerabilities are currently being actively exploited and are linked to malware.
Last updated on September 26, 2025.
Background
Cisco has fixed multiple vulnerabilities in the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. These vulnerabilities are located in the VPN Web Server component and could allow attackers to access sensitive system components without authentication or even execute arbitrary code with root privileges. The vulnerabilities are caused by insufficient validation of user input in HTTPS requests. In some cases, only a VPN account is required to exploit the vulnerability. The T-SOC is closely monitoring the situation.
Risk
Analysis shows that CVE-2025-20333 and CVE-2025-20362 are being exploited in conjunction with each other. CVE-2025-20362 serves as a gateway or steppingstone after which CVE-2025-20333 is then exploited.
A successful attack could lead to:
· Full compromise of the device
· Access to restricted URLs without authentication
· Disabling of security measures
The vulnerabilities CVE-2025-20333 and CVE-2025-20362 are reportedly being exploited by a sophisticated, nation-state actor: UAT4356, also known as STORM-1849. This actor was previously identified in the ArcaneDoor campaign targeting network perimeter equipment such as firewalls and VPN devices, with a specific focus on Cisco ASA and FTD.
Characteristics of this actor:
· In-depth knowledge of Cisco equipment
· Use of anti-forensic techniques to avoid detection
· Persistence - malware remains active after reboot or firmware updates
· Use of custom backdoors - Line Runner and Line Dancer - for configuration modification, network reconnaissance, data theft, and lateral movement
This combination of technical expertise and stealth makes the exploitation particularly risky for organizations with sensitive networks or critical infrastructure
Advice
· Update immediately to a patched version of Cisco ASA or FTD Software.
· Check for Indicators of Compromise (IoC) as published by Cisco.
· Restrict access to VPN web interfaces to trusted networks.
· Actively monitor for anomalous behavior and unauthorized access attempts.
Sources
· CVE-2025-20333 - CVSS (v3) 9.9
· CVE-2025-20363 - CVSS (v3) 9.0
· CVE-2025-20362 - CVSS (v3) 6.5
· https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
· https://sec.cloudapps.cisco.com/security/center/resources/detection_guide_for_continued_attacks
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
