Cisco Issues Warning on New Attack Variant Targeting Secure Firewall ASA and FTD Devices via CVE-2025-20333 and CVE-2025-20362

Cisco Warns of New DoS Attacks Actively Exploiting Firewall Flaws

CRITICAL
November 6, 2025
5m read
VulnerabilityCyberattackPatch Management

Related Entities

Organizations

Cisco CISA NCSC

Products & Tech

Cisco Secure Firewall Adaptive Security Appliance (ASA)Cisco Secure Firewall Threat Defense (FTD)

CVE Identifiers

MITRE ATT&CK Techniques

T1210Initial Access

Exploitation of Remote Services

T1499Impact

Endpoint Denial of Service

T1068Privilege Escalation

Exploitation for Privilege Escalation

Full Report

Executive Summary

On November 5, 2025, Cisco released an updated advisory warning of a new, active attack campaign targeting its Cisco Secure Firewall ASA and Secure Firewall FTD software. The attack leverages a chain of two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to trigger an unexpected reload of the device, resulting in a denial-of-service (DoS) condition. These vulnerabilities are not new; they were patched in September 2025 after being actively exploited as zero-days and were subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The emergence of this new attack variant underscores the continued risk posed by these flaws to unpatched devices. Cisco is urging all customers to apply the necessary security updates without delay to mitigate the risk of network disruption.

Vulnerability Details

The new attack variant chains two distinct vulnerabilities to achieve its effect:

  • CVE-2025-20333: A buffer overflow vulnerability in the firewall's remote access VPN feature. While the current attack variant uses it for a DoS, a buffer overflow could potentially be leveraged for remote code execution (RCE) by a skilled attacker.
  • CVE-2025-20362: A missing authorization vulnerability that allows an unauthenticated, remote attacker to access restricted URLs on the device. This flaw likely serves as the entry point to reach the vulnerable code path for CVE-2025-20333.

By chaining these two flaws, an attacker can send a specially crafted request to an unpatched firewall, causing the system to crash and reload, thereby denying service to all traffic passing through it.

Affected Systems

The vulnerabilities affect the following Cisco products running vulnerable software versions:

  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
  • Cisco Secure Firewall Threat Defense (FTD) Software

Customers should consult the official Cisco advisory for a complete list of affected versions and the corresponding fixed software releases.

Exploitation Status

These vulnerabilities are being actively exploited in the wild. They have a history of exploitation, having been used as zero-days in September 2025 by sophisticated actors to deliver malware such as RayInitiator and LINE VIPER, according to the UK's NCSC. Their inclusion in the CISA KEV catalog highlights their proven risk. This new DoS attack variant demonstrates that multiple threat actors are now weaponizing these flaws, increasing the likelihood of attacks against any organization with unpatched devices.

Impact Assessment

  • Denial-of-Service (DoS): The immediate and confirmed impact is a DoS condition. As firewalls are typically in-line devices that control all network traffic, a crash can lead to a complete network outage for an organization, disrupting all business operations.
  • Potential for Remote Code Execution: While the current campaign is focused on DoS, the underlying buffer overflow vulnerability (CVE-2025-20333) suggests that RCE may be possible. A successful RCE attack on a perimeter firewall would be catastrophic, giving an attacker a powerful foothold on the edge of the network.
  • Reputational Damage: Network outages can damage an organization's reputation and violate service-level agreements (SLAs) with customers.

Cyber Observables for Detection

Type
log_source
Value
Cisco ASA/FTD System Logs
Description
Look for log messages indicating an unexpected system reload or crash.
Context
Monitor device syslog for crash reports or reboot messages that are not associated with planned maintenance.
Confidence
high
Type
network_traffic_pattern
Value
Inbound requests to unusual or restricted URLs on the firewall's management interface.
Description
Exploitation of CVE-2025-20362 involves accessing URLs that should not be publicly accessible.
Context
Analyze web server logs on the firewall or use an IDS/IPS with signatures for this CVE.
Confidence
medium
Type
other
Value
show crashinfo command output
Description
The output of this command on an affected device will contain information about the crash, which can be analyzed to confirm the exploit.
Context
Run this command on the device's CLI after an unexpected reload.
Confidence
high

Detection Methods

  1. Vulnerability Scanning: Use a vulnerability scanner with up-to-date plugins to actively scan for Cisco ASA/FTD devices in your environment and identify those running vulnerable software versions.
  2. Log Monitoring: Configure all Cisco firewall devices to send logs to a central SIEM. Create alerting rules for unexpected device reloads and for access attempts to known-vulnerable URL paths.
  3. Intrusion Detection/Prevention Systems (IDS/IPS): Ensure your IDS/IPS has the latest signatures from Cisco or third-party vendors to detect and potentially block exploit attempts targeting CVE-2025-20333 and CVE-2025-20362. This aligns with D3-ITF: Inbound Traffic Filtering.

Remediation Steps

  1. Upgrade Software: The most critical step is to upgrade all vulnerable Cisco Secure Firewall ASA and FTD devices to a fixed software release as recommended in the Cisco security advisory. This is the only way to fully remediate the vulnerabilities. This is a direct application of D3-SU: Software Update.
  2. Restrict Access: As a temporary mitigation, restrict access to the firewall's management interface and any remote access VPN services to only trusted IP addresses. This reduces the attack surface but does not eliminate the vulnerability.
  3. Verify Upgrade: After applying the patches, verify that the devices are running the correct, non-vulnerable software version and monitor them for stability.

Timeline of Events

1
September 1, 2025
CVE-2025-20333 and CVE-2025-20362 were originally disclosed and patched after being exploited as zero-days.
2
November 5, 2025
Cisco issues an updated advisory warning of a new attack variant actively exploiting the two vulnerabilities to cause a DoS condition.
3
November 6, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The only definitive mitigation is to upgrade vulnerable Cisco ASA and FTD devices to a fixed software version provided by Cisco.

Mapped D3FEND Techniques:

D3-SU

Network Intrusion Prevention

M1031enterprise

Use an IDS/IPS with up-to-date signatures to detect and block traffic matching the known exploit patterns for these CVEs.

Mapped D3FEND Techniques:

D3-ITF

Limit Access to Resource Over Network

M1035enterprise

As a temporary measure, restrict access to the firewall's management and VPN interfaces to only trusted IP ranges to reduce the attack surface.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

Given the active exploitation of CVE-2025-20333 and CVE-2025-20362 on critical network infrastructure, the immediate and highest-priority action is Software Update. Organizations must treat this as an emergency change. Use network management and vulnerability scanning tools to rapidly identify all Cisco Secure Firewall ASA and FTD appliances in the environment. Compare their current software versions against the patched versions listed in Cisco's security advisory. Prioritize patching for internet-facing firewalls first, as they are the most exposed. Then, proceed with patching internal firewalls. The change management process should be expedited to allow for out-of-band patching. After deployment, the operational status of the firewalls must be verified to ensure the update was successful and has not negatively impacted network traffic. Because these vulnerabilities are on CISA's KEV list, this is not a routine update; it is a critical remediation to prevent a confirmed, active threat.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1031
D3FEND

While patching is the ultimate solution, Inbound Traffic Filtering can serve as a valuable compensating control or an additional layer of defense. If an organization has an Intrusion Prevention System (IPS) deployed in front of its Cisco firewalls, security teams must ensure it has the latest signature packs that include rules to detect and block exploit attempts for CVE-2025-20333 and CVE-2025-20362. Additionally, as a temporary measure before patching can be completed, access control lists (ACLs) on upstream routers or the firewalls themselves should be configured to strictly limit access to the device's management interface and VPN endpoints. This access should be restricted to a small, well-defined set of trusted IP addresses belonging to security and network administration staff. This reduces the attack surface by preventing attackers from the wider internet from reaching the vulnerable services, though it does not protect against an attack originating from a trusted, but compromised, source.

Timeline of Events

1
September 1, 2025

CVE-2025-20333 and CVE-2025-20362 were originally disclosed and patched after being exploited as zero-days.

2
November 5, 2025

Cisco issues an updated advisory warning of a new attack variant actively exploiting the two vulnerabilities to cause a DoS condition.

Sources & References

Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362
The Hacker NewsNovember 6, 2025
Cisco became aware of a new attack variant against Secure Firewall ASA and FTD devices
Security AffairsNovember 6, 2025
H-ISAC TLP White Vulnerability Advisory: New Attack Variant Targeting Cisco Secure Firewalls
American Hospital AssociationNovember 6, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CiscoFirewallDoSVulnerabilityCVE-2025-20333CVE-2025-20362KEVZero-Day

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.