Cisco Warns of New DoS Attacks Actively Exploiting Firewall Flaws
Cisco Issues Warning on New Attack Variant Targeting Secure Firewall ASA and FTD Devices via CVE-2025-20333 and CVE-2025-20362
CVE Identifiers
Full Report
Executive Summary
On November 5, 2025, Cisco released an updated advisory warning of a new, active attack campaign targeting its Cisco Secure Firewall ASA and Secure Firewall FTD software. The attack leverages a chain of two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to trigger an unexpected reload of the device, resulting in a denial-of-service (DoS) condition. These vulnerabilities are not new; they were patched in September 2025 after being actively exploited as zero-days and were subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The emergence of this new attack variant underscores the continued risk posed by these flaws to unpatched devices. Cisco is urging all customers to apply the necessary security updates without delay to mitigate the risk of network disruption.
Vulnerability Details
The new attack variant chains two distinct vulnerabilities to achieve its effect:
- CVE-2025-20333: A buffer overflow vulnerability in the firewall's remote access VPN feature. While the current attack variant uses it for a DoS, a buffer overflow could potentially be leveraged for remote code execution (RCE) by a skilled attacker.
- CVE-2025-20362: A missing authorization vulnerability that allows an unauthenticated, remote attacker to access restricted URLs on the device. This flaw likely serves as the entry point to reach the vulnerable code path for CVE-2025-20333.
By chaining these two flaws, an attacker can send a specially crafted request to an unpatched firewall, causing the system to crash and reload, thereby denying service to all traffic passing through it.
Affected Systems
The vulnerabilities affect the following Cisco products running vulnerable software versions:
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
Customers should consult the official Cisco advisory for a complete list of affected versions and the corresponding fixed software releases.
Exploitation Status
These vulnerabilities are being actively exploited in the wild. They have a history of exploitation, having been used as zero-days in September 2025 by sophisticated actors to deliver malware such as RayInitiator and LINE VIPER, according to the UK's NCSC. Their inclusion in the CISA KEV catalog highlights their proven risk. This new DoS attack variant demonstrates that multiple threat actors are now weaponizing these flaws, increasing the likelihood of attacks against any organization with unpatched devices.
Impact Assessment
- Denial-of-Service (DoS): The immediate and confirmed impact is a DoS condition. As firewalls are typically in-line devices that control all network traffic, a crash can lead to a complete network outage for an organization, disrupting all business operations.
- Potential for Remote Code Execution: While the current campaign is focused on DoS, the underlying buffer overflow vulnerability (
CVE-2025-20333) suggests that RCE may be possible. A successful RCE attack on a perimeter firewall would be catastrophic, giving an attacker a powerful foothold on the edge of the network. - Reputational Damage: Network outages can damage an organization's reputation and violate service-level agreements (SLAs) with customers.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| log_source | Cisco ASA/FTD System Logs |
Look for log messages indicating an unexpected system reload or crash. | Monitor device syslog for crash reports or reboot messages that are not associated with planned maintenance. | high |
| network_traffic_pattern | Inbound requests to unusual or restricted URLs on the firewall's management interface. | Exploitation of CVE-2025-20362 involves accessing URLs that should not be publicly accessible. | Analyze web server logs on the firewall or use an IDS/IPS with signatures for this CVE. | medium |
| other | show crashinfo command output |
The output of this command on an affected device will contain information about the crash, which can be analyzed to confirm the exploit. | Run this command on the device's CLI after an unexpected reload. | high |
Detection Methods
- Vulnerability Scanning: Use a vulnerability scanner with up-to-date plugins to actively scan for Cisco ASA/FTD devices in your environment and identify those running vulnerable software versions.
- Log Monitoring: Configure all Cisco firewall devices to send logs to a central SIEM. Create alerting rules for unexpected device reloads and for access attempts to known-vulnerable URL paths.
- Intrusion Detection/Prevention Systems (IDS/IPS): Ensure your IDS/IPS has the latest signatures from Cisco or third-party vendors to detect and potentially block exploit attempts targeting CVE-2025-20333 and CVE-2025-20362. This aligns with D3-ITF: Inbound Traffic Filtering.
Remediation Steps
- Upgrade Software: The most critical step is to upgrade all vulnerable Cisco Secure Firewall ASA and FTD devices to a fixed software release as recommended in the Cisco security advisory. This is the only way to fully remediate the vulnerabilities. This is a direct application of D3-SU: Software Update.
- Restrict Access: As a temporary mitigation, restrict access to the firewall's management interface and any remote access VPN services to only trusted IP addresses. This reduces the attack surface but does not eliminate the vulnerability.
- Verify Upgrade: After applying the patches, verify that the devices are running the correct, non-vulnerable software version and monitor them for stability.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The only definitive mitigation is to upgrade vulnerable Cisco ASA and FTD devices to a fixed software version provided by Cisco.
Mapped D3FEND Techniques:
Network Intrusion Prevention
Use an IDS/IPS with up-to-date signatures to detect and block traffic matching the known exploit patterns for these CVEs.
Mapped D3FEND Techniques:
As a temporary measure, restrict access to the firewall's management and VPN interfaces to only trusted IP ranges to reduce the attack surface.
D3FEND Defensive Countermeasures
Given the active exploitation of CVE-2025-20333 and CVE-2025-20362 on critical network infrastructure, the immediate and highest-priority action is Software Update. Organizations must treat this as an emergency change. Use network management and vulnerability scanning tools to rapidly identify all Cisco Secure Firewall ASA and FTD appliances in the environment. Compare their current software versions against the patched versions listed in Cisco's security advisory. Prioritize patching for internet-facing firewalls first, as they are the most exposed. Then, proceed with patching internal firewalls. The change management process should be expedited to allow for out-of-band patching. After deployment, the operational status of the firewalls must be verified to ensure the update was successful and has not negatively impacted network traffic. Because these vulnerabilities are on CISA's KEV list, this is not a routine update; it is a critical remediation to prevent a confirmed, active threat.
While patching is the ultimate solution, Inbound Traffic Filtering can serve as a valuable compensating control or an additional layer of defense. If an organization has an Intrusion Prevention System (IPS) deployed in front of its Cisco firewalls, security teams must ensure it has the latest signature packs that include rules to detect and block exploit attempts for CVE-2025-20333 and CVE-2025-20362. Additionally, as a temporary measure before patching can be completed, access control lists (ACLs) on upstream routers or the firewalls themselves should be configured to strictly limit access to the device's management interface and VPN endpoints. This access should be restricted to a small, well-defined set of trusted IP addresses belonging to security and network administration staff. This reduces the attack surface by preventing attackers from the wider internet from reaching the vulnerable services, though it does not protect against an attack originating from a trusted, but compromised, source.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats