Over **48,800 internet-exposed Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices** remain vulnerable to two critical flaws (**CVE-2025-20333** and **CVE-2025-20362**), enabling **remote, unauthenticated arbitrary code execution** and unauthorized access to VPN endpoints. Exploitation began **before patches were available**, with threat actors deploying **shellcode loaders (Line Viper)** and **GRUB bootkits (RayInitiator)**. The U.S. **CISA issued an emergency directive**, mandating federal agencies to patch or disconnect affected devices within **24 hours**, while the **U.K.’s NCSC** confirmed active attacks. Despite warnings since **late August**, most exposed devices—primarily in the **U.S., U.K., Japan, and Germany**—remain unpatched, risking **full system compromise, lateral movement, and data exfiltration**. The lack of workarounds exacerbates the threat, leaving organizations vulnerable to **persistent access, malware deployment, and potential supply-chain attacks** if breached devices are used to pivot into corporate networks.
TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis0692106093025",
"linkid": "cisco",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '50,000+ (exposed ASA/FTD '
'appliances)',
'industry': 'Networking and Cybersecurity',
'location': 'Global',
'name': 'Cisco Systems, Inc.',
'size': 'Large Enterprise',
'type': 'Technology Vendor'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'Agencies (U.S.)',
'type': 'Government'},
{'industry': 'Multiple',
'location': ['United States (19,200+ endpoints)',
'United Kingdom (2,800)',
'Japan (2,300)',
'Germany (2,200)',
'Russia (2,100)',
'Canada (1,500)',
'Denmark (1,200)'],
'name': 'Organizations Using Cisco ASA/FTD (Global)',
'type': ['Private Sector',
'Public Sector',
'Critical Infrastructure']}],
'attack_vector': ['Remote Code Execution (RCE)',
'Unauthenticated Access to VPN Endpoints',
'Crafted HTTP Requests'],
'customer_advisories': ['Apply Patches Immediately',
'Monitor for Indicators of Compromise (IoCs)',
'Review VPN Access Logs for Unauthorized Activity'],
'date_detected': '2024-08-01',
'date_publicly_disclosed': '2024-09-25',
'description': 'Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and '
'Firewall Threat Defense (FTD) appliances exposed on the '
'public web are vulnerable to two actively exploited '
'vulnerabilities (CVE-2025-20333 and CVE-2025-20362). These '
'flaws enable arbitrary code execution and unauthorized access '
'to restricted VPN endpoints. Exploitation began before '
'patches were available, with no workarounds existing. Over '
'48,800 internet-exposed instances remain unpatched as of '
'September 29, 2024. Threat actors have deployed malware such '
"as 'Line Viper' (shellcode loader) and 'RayInitiator' (GRUB "
'bootkit). CISA issued an emergency directive mandating '
'federal agencies to patch or disconnect affected devices '
'within 24 hours.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in Cisco '
'Security Products',
'Regulatory Scrutiny'],
'legal_liabilities': ['Non-Compliance with CISA Emergency '
'Directive for Federal Agencies',
'Potential Violations of Data Protection '
'Laws'],
'operational_impact': ['Potential Unauthorized VPN Access',
'Malware Infection (Line Viper, '
'RayInitiator)',
'Risk of Lateral Movement'],
'systems_affected': '50,000 (48,800 confirmed unpatched as of '
'2024-09-29)'},
'initial_access_broker': {'backdoors_established': ['Line Viper (Shellcode '
'Loader)',
'RayInitiator (GRUB '
'Bootkit)'],
'entry_point': ['Exposed VPN Web Interfaces',
'Crafted HTTP Requests Targeting '
'CVE-2025-20333/CVE-2025-20362'],
'high_value_targets': ['Federal Agencies (FCEB)',
'Critical Infrastructure',
'Enterprises with Sensitive '
'Data'],
'reconnaissance_period': 'Late August 2024 '
'(Greynoise Scans)'},
'investigation_status': 'Ongoing (Active Exploitation Confirmed; Patching '
'Underway)',
'lessons_learned': ['Proactive Patching is Critical for Zero-Day '
'Vulnerabilities',
'Exposed VPN Interfaces Are High-Risk Targets',
'Federal Directives Can Accelerate Response in Critical '
'Infrastructure',
'Threat Intelligence Sharing (e.g., Shadowserver, '
'Greynoise) Provides Early Warnings'],
'motivation': ['Opportunistic Exploitation',
'Potential Data Theft',
'Malware Distribution'],
'post_incident_analysis': {'corrective_actions': ['Mandatory Patching '
'Enforcement (e.g., CISA '
'Directive)',
'Network Segmentation for '
'VPN Access Points',
'Enhanced Threat Detection '
'for Malware (Line Viper, '
'RayInitiator)',
'Accelerated End-of-Support '
'(EoS) Device Replacement'],
'root_causes': ['Delayed Patching of Zero-Day '
'Vulnerabilities',
'Over-Exposure of VPN Interfaces '
'to the Public Internet',
'Lack of Temporary Mitigations (No '
'Workarounds Available)',
'Insufficient Monitoring for Early '
'Indicators of Exploitation']},
'recommendations': ['Immediately Patch CVE-2025-20333 and CVE-2025-20362 on '
'All Cisco ASA/FTD Devices',
'Restrict Public Exposure of VPN Web Interfaces',
'Deploy Enhanced Monitoring for Suspicious HTTP Requests '
'and VPN Logins',
'Disconnect End-of-Support (EoS) Devices from Networks',
'Follow CISA and NCSC Guidelines for Hardening Network '
'Perimeters',
"Conduct Threat Hunting for 'Line Viper' and "
"'RayInitiator' Malware"],
'references': [{'date_accessed': '2024-09-25',
'source': 'Cisco Security Advisory (CVE-2025-20333)',
'url': '[1]'},
{'date_accessed': '2024-09-25',
'source': 'Cisco Security Advisory (CVE-2025-20362)',
'url': '[2]'},
{'date_accessed': '2024-09-29',
'source': 'The Shadowserver Foundation - Vulnerable Cisco '
'ASA/FTD Scan Report'},
{'date_accessed': '2024-09-25',
'source': 'CISA Emergency Directive on Cisco ASA/FTD '
'Vulnerabilities'},
{'date_accessed': '2024-09-29',
'source': 'UK NCSC Threat Report on Line Viper and '
'RayInitiator Malware'},
{'date_accessed': '2024-09-04',
'source': 'Greynoise - Early Warning on Cisco ASA Scans'}],
'regulatory_compliance': {'regulations_violated': ['CISA Emergency Directive '
'(Non-Compliance Risk for '
'Federal Agencies)'],
'regulatory_notifications': ['CISA Mandate for '
'Federal Agencies',
'NCSC (UK) Advisory']},
'response': {'communication_strategy': ['Cisco Security Advisories [1, 2]',
'CISA Emergency Directive',
'NCSC Threat Report'],
'containment_measures': ['Restrict VPN Web Interface Exposure',
'Disconnect End-of-Support (EoS) ASA '
'Devices',
'Increase Logging/Monitoring for '
'Suspicious VPN Logins'],
'enhanced_monitoring': ['Monitor for Crafted HTTP Requests',
'Track Suspicious VPN Logins'],
'incident_response_plan_activated': ['Cisco Security Advisory '
'(2024-09-25)',
'CISA Emergency Directive '
'(24-hour patching mandate)',
'NCSC (UK) Threat Report'],
'remediation_measures': ['Apply Cisco Patches for CVE-2025-20333 '
'and CVE-2025-20362',
'Follow Cisco Hardening Guidelines'],
'third_party_assistance': ['The Shadowserver Foundation (Threat '
'Monitoring)',
'Greynoise (Early Warning Scans)']},
'stakeholder_advisories': ['Cisco Customers',
'Federal Civilian Executive Branch (FCEB) Agencies',
'Global Organizations Using Cisco ASA/FTD'],
'title': 'Active Exploitation of Cisco ASA and FTD Vulnerabilities '
'(CVE-2025-20333, CVE-2025-20362)',
'type': ['Vulnerability Exploitation',
'Unauthorized Access',
'Malware Deployment'],
'vulnerability_exploited': ['CVE-2025-20333', 'CVE-2025-20362']}