Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices exposed online remain vulnerable to two flaws that hackers are currently exploiting.
Active Exploitation and Vulnerability Details
The two flaws, tracked as CVE-2025-20333 and CVE-2025-20362, are extremely dangerous because they can be exploited remotely and without authentication. These vulnerabilities allow an attacker to execute arbitrary code and gain access to restricted URL endpoints associated with VPN access.
Cisco issued a warning on September 25 that these issues were already being actively exploited in attacks before patches were available. Threat monitoring service The Shadowserver Foundation reported that as of September 29, over 48,800 internet-exposed ASA and FTD instances are still vulnerable. Most of these affected devices are located in the United States, followed by the United Kingdom, Japan, Germany, and Russia.
The threat actor activity was preceded by suspicious scans targeting Cisco ASA devices as early as late August, according to a warning from Greynoise on September 4.
Government Response and Mitigations
The severe risk posed by these vulnerabilities prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive. This directive gave all Federal Civilian Executive Branch (FCEB) agencies only 24 hours to find and update any compromised Cisco ASA and FTD instances. CISA also advised that ASA devices reaching their end of support (EoS) should be disconnected from federal networks immediately.
A report from the U.K.'s National Cyber Security Centre (NCSC) revealed that the hackers are deploying malware named 'Line Viper,' which is followed by a GRUB bootkit named 'RayInitiator.'
Though no workarounds exist, temporary hardening steps include restricting the exposure of the VPN web interface and increasing logging and monitoring for suspicious VPN logins and crafted HTTP requests. Administrators of all potentially impacted systems are strongly urged to apply Cisco's patches for CVE-2025-20333 and CVE-2025-20362 as soon as possible.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
