Urgent Cybersecurity Alert: Cisco Firewall Vulnerabilities Under Active Exploitation
Overview of the Situation
Recent alerts from the Australian Cyber Security Centre (ACSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have raised significant concerns regarding vulnerabilities in Cisco firewall devices. Cisco has confirmed that these vulnerabilities are currently being exploited, particularly affecting organizations within Australia.
Vulnerabilities Identified
Cisco has disclosed three notable vulnerabilities, two classified as critical and one as medium. The identification of these vulnerabilities has led to urgent warnings from cybersecurity agencies about the potential risks associated with Cisco’s ASA and Firepower devices.
Critical Vulnerabilities
-
CVE-2025-20333: This critical flaw exists within the VPN web servers of both Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software. It poses a risk that an authenticated attacker could execute arbitrary code remotely, leading to significant security breaches.
- CVE-2025-20363: Similar to the previous vulnerability, this one also affects Cisco ASA, FTD software, and various Cisco IOS versions. Exploiting this vulnerability has the potential to yield the same damaging outcomes as CVE-2025-20333.
Medium Vulnerability
- CVE-2025-20362: This vulnerability is classified as medium and is found in the VPN web server of Cisco Secure Firewall ASA and FTD software. It could allow remote threat actors to access restricted URL endpoints, further compromising system integrity.
Active Exploitation and Threat Actor Behavior
According to Cisco, evidence suggests that threat actors are using the ROM monitor (ROMMON) to establish persistent access, even after device reboots. The analysis of compromised devices has revealed modifications to ROMMON allowing attackers to maintain their hold on the system across reboots and software updates. Notably, this kind of activity has been observed only on older Cisco ASA 5500-X Series platforms that predate the introduction of Secure Boot and Trust Anchor technologies. Importantly, no CVEs will be assigned for the lack of these technologies.
The Risk of Chaining Vulnerabilities
Cybersecurity analysts at Rapid7 have highlighted the potential for chaining two critical vulnerabilities to amplify the risk. CVE-2025-20333, while requiring valid VPN credentials for exploitation, could potentially be exploited without those credentials when paired with CVE-2025-20362, which does not require authentication. This possibility underscores the pressing need for organizations to take immediate action to protect their systems.
Affected Cisco Models
The following models in the Cisco ASA 5500-X Series have been identified as impacted by these vulnerabilities:
- 5512-X and 5515-X: End of support as of August 31, 2022.
- 5525-X, 5545-X, and 5555-X: Support continues until September 30, 2025.
- 5585-X: Support ended on May 31, 2023.
Recommendations for Organizations
In light of these vulnerabilities and the confirmed exploitation, the ACSC strongly advises all Australian organizations using the affected Cisco devices to follow Cisco’s remediation measures. Upgrading to supported device versions is crucial to mitigate the risk of attack.
Conclusion
Organizations relying on Cisco ASA and Cisco Firepower devices must act swiftly to address these vulnerabilities. The guidance from cybersecurity agencies and Cisco’s recommendations for device upgrades are essential for safeguarding against potential exploitation. For more detailed information on the vulnerabilities and remediation measures, organizations are encouraged to refer to Cisco’s official communications.
For more on the ongoing situation and how to manage these risks effectively, it’s advisable to stay updated through official cybersecurity channels.
