Two New Cisco ASA Vulnerabilities Actively Exploited in the Wild

On September 25, two critical vulnerabilities were identified in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) Software. 

CVE-2025-20333 (CVSS score 9.9) is a remote code execution (RCE) vulnerability that results from improper validation of user-supplied input in HTTP requests. CVE-2025-20362 (CVSS score 6.5) is a missing authorization vulnerability due to improper validation of user-supplied input in HTTP requests. 

These vulnerabilities can be chained together to achieve unauthenticated RCE as root, leading to complete compromise of the device. CVE-2025-20333 requires authentication, which is why both vulnerabilities must be mitigated; chaining with CVE-2025-20362 enables unauthenticated RCE. 

Cisco has released software updates that address this vulnerability. To mitigate these vulnerabilities, businesses should ensure their Cisco ASA appliance is updated to the patched version.

What happened?

Cisco ASA is a multi-purpose cybersecurity hardware device that includes firewall, antivirus, intrusion protection, and virtual private network (VPN) capabilities. The devices have been in use for over 15 years, with more than 1 million security appliances deployed worldwide.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for these vulnerabilities after observing them being actively exploited in the wild.

Cisco also observed the threat actor modifying ROMMON, a low-level firmware program that serves as the device’s bootstrap loader, allowing for persistence across reboots and software upgrades. These modifications have been observed only on Cisco ASA 5500-X Series platforms that were released before the development of Secure Boot and Trust Anchor technologies. 

Cisco has not observed successful compromise, malware implantation, or the existence of a persistence mechanism on platforms that support Secure Boot and Trust Anchors.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for two vulnerabilities impacting Cisco devices after observing them being actively exploited in the wild.

How do businesses address this?

To mitigate these vulnerabilities, businesses should ensure their Cisco ASA appliance is updated to the patched version, 9.23.1.19, per the vendor advisories.

If you are running a 5500-X Series platform, please ensure you follow the additional vendor guidance to prevent a threat actor from obtaining a persistent backdoor. 

Who's at risk?

Among Coalition policyholders notified about this vulnerability, businesses in the professional services (13%), healthcare (12%), and hospitality (10%) industries were most impacted. The highest proportion of impacted policyholders had fewer than 250 employees (67%) and were small to midsize businesses by revenue (82%).

In Coalition’s Risky Tech Ranking, Cisco is currently ranked #10 with 17% more published vulnerabilities in Q2 2025 versus Q1 2025. 

How is Coalition responding?

Within hours of disclosure, Coalition notified any impacted policyholders. Coalition policyholders can log in to Coalition Control® for the latest updates. Coalition also recommends that policyholders follow the latest guidance from Cisco.

We continue to closely monitor the situation. For any questions about this vulnerability, ask Security Copilot in Coalition Control. For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

PREVENT MORE CYBER INCIDENTS. RESPOND FAST.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.