Cisco: Thousands of Firewalls Vulnerable, New Attack Vectors Observed
Attackers have found new ways to exploit security vulnerabilities in Cisco firewalls, known since the end of September. Thousands are vulnerable.
(Image: Anastasiia Skorobogatova/Shutterstock.com)
Since the end of September, attacks on three security vulnerabilities in Cisco's ASA and FTD firewalls have been known. Updates to close the vulnerabilities have been available since then. However, at the beginning of November, more than a thousand Cisco devices in Germany were still accessible and vulnerable online. Cisco now also reports that attackers are using new methods to exploit two of the three vulnerabilities.
During Wednesday, Cisco updated its warning about ongoing attacks on the security vulnerabilities for the VPN component of the firewalls. The manufacturer states that on Wednesday it noticed a new attack variant on both vulnerabilities. The cyberattacks can cause unpatched devices to restart unexpectedly, leading to denial-of-service situations. Cisco strongly recommends updating to the corrected software versions.
Current figures from the Shadowserver Foundation on vulnerable devices show many thousands worldwide. The USA is at the forefront with currently more than 13,500 vulnerable Cisco firewalls. However, Germany also stands out negatively, with currently, 1160 vulnerable Cisco ASA and FTD firewalls. Since the beginning of October, admins have not even provided half of the then-vulnerable Cisco devices with security updates.
Three security vulnerabilities targeted by attackers
In total, Cisco reports three security vulnerabilities: With the first, authenticated attackers from the network can push and execute arbitrary code on Cisco ASA and FTD firewalls (CVE-2025-20333, CVSS 9.9, risk “critical”). Cisco cites insufficient checking of HTTP(S) requests as the cause, which allows users with valid VPN credentials to carry out such attacks. The second vulnerability allows unauthenticated users (on Cisco ASA and FTD) and authenticated attackers with low privileges (in Cisco IOS, IOS XE, and IOS XR) to execute arbitrary code on affected devices. This is also due to insufficient validation of HTTP requests (CVE-2025-20363, CVSS 9.0, risk “critical”). The last vulnerability allows unauthenticated attackers from the network to access restricted URL endpoints belonging to VPN remote access (CVE-2025-20362, CVSS 6.5, risk “medium”).
Videos by heise
The newly observed attack variants affect vulnerabilities CVE-2025-20333 and CVE-2025-20362. IT managers should take Cisco's warnings seriously and apply the available updates promptly.
(dmk)
