Executive Summary

On November 5, 2025, Cisco disclosed a new wave of attacks exploiting two known vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. This new variant causes a persistent denial-of-service (DoS) condition by forcing unpatched devices into a continuous reload cycle. These vulnerabilities have been actively exploited by advanced threat actors since at least May 2025, leading to full system compromise, malware deployment, and data exfiltration in targeted networks, including a confirmed breach of a U.S. government agency. Despite patches being available since September 2025, many devices remain vulnerable. Cisco, alongside CISA and the UK's NCSC, is urging all customers to patch immediately, as no alternative mitigations are effective.

Threat Overview

The latest attack campaign leverages a new variant to trigger a device reload on unpatched Cisco ASA and Cisco FTD firewalls. The core of the issue lies in CVE-2025-20333, a critical vulnerability resulting from insufficient input validation in the VPN web server. An authenticated attacker can exploit this flaw by sending a specially crafted HTTP/S request to the device, leading to arbitrary code execution with root privileges.

This is not a new threat, but an evolution of an ongoing campaign. Exploitation was first observed in May 2025, prompting patches in September 2025. Following the patch release, CISA and the NCSC issued a joint advisory about active exploitation by an advanced threat actor. These actors have demonstrated sophistication, using their access to deploy malware, exfiltrate data, and cover their tracks by disabling logging and intentionally crashing devices to hinder forensic analysis.

Technical Analysis

The attack chain primarily focuses on exploiting CVE-2025-20333. While authentication is a prerequisite, threat actors can gain it through various means, including credential stuffing, phishing, or exploiting other vulnerabilities.

TTPs (Tactics, Techniques, and Procedures)

• Initial Access: T1190 - Exploit Public-Facing Application: The attackers target the web-based management interface and VPN functionalities of the Cisco firewalls, which are by nature internet-facing.
• Execution: T1203 - Exploitation for Client Execution: The crafted HTTP/S request triggers the vulnerability, leading to code execution on the underlying operating system.
• Privilege Escalation: T1068 - Exploitation for Privilege Escalation: The vulnerability allows the attacker to gain root-level privileges, granting complete control over the device.
• Defense Evasion: T1562.001 - Disable or Modify Tools: Threat actors were observed disabling logging mechanisms to hide their activity. T1070.001 - Clear Windows Event Logs (or equivalent on the appliance) is a related technique. They also intercepted CLI commands to evade detection by administrators.
• Impact: T1499 - Endpoint Denial of Service: The new attack variant specifically causes the device to reload repeatedly, resulting in a persistent DoS condition. The original attacks also involved T1486 - Data Encrypted for Impact and T1565.001 - Data Transfer Size Limits for exfiltration.

Impact Assessment

The impact of this attack is severe. A successful DoS attack on a perimeter firewall can completely sever an organization's internet connectivity, disrupting all external and cloud-based services, remote access for employees, and business-to-business communications. For organizations that have not patched, the risk of full system compromise remains. An attacker with root access to a firewall can pivot into the internal network, intercept traffic, disable security controls, and establish persistent access. The compromise of a US government agency underscores the high-stakes nature of this threat. Recovery from a DoS loop requires manual intervention and patching, leading to significant downtime.

Cyber Observables for Detection

Security teams should proactively hunt for signs of compromise or attempted exploitation:

Detection & Response

• Log Analysis: Scrutinize web server, VPN, and system logs on ASA/FTD devices for anomalous HTTP/S requests, especially those targeting the VPN portal. Look for unexpected reboots with no corresponding administrative action. Use a SIEM to correlate login events with subsequent configuration changes or suspicious outbound traffic. D3FEND Technique: D3-NTA: Network Traffic Analysis.
• Configuration Audits: Regularly audit firewall configurations for any unauthorized changes, particularly focusing on VPN settings, access control lists (ACLs), and user accounts. Compare current configurations against a known-good baseline. D3FEND Technique: D3-SFA: System File Analysis.
• Integrity Monitoring: Implement file and configuration integrity monitoring on the devices to detect unauthorized modifications to system files or configurations.

Mitigation

CRITICAL: The only effective mitigation is to apply the security patches provided by Cisco. There are no workarounds.

1. Immediate Patching: Upgrade Cisco ASA software to version 9.18.4.19 or later and FTD software to version 7.4.2 or later. Prioritize internet-facing devices. D3FEND Technique: D3-SU: Software Update.
2. Restrict Access: Limit access to the firewall's management interface to a dedicated and secured management network. Do not expose the management interface to the internet. D3FEND Technique: D3-NI: Network Isolation.
3. Network Segmentation: Implement network segmentation to limit the potential blast radius should a perimeter device be compromised. This prevents attackers from easily moving laterally into critical internal zones. D3FEND Technique: D3-BDI: Broadcast Domain Isolation.
4. Multi-Factor Authentication (MFA): Enforce MFA for all administrative access to network devices, including firewalls, to protect against credential compromise. D3FEND Technique: D3-MFA: Multi-factor Authentication.