Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco ASA and FTD active exploitation wave (CVE-2025-20333, CVE-2025-20362)

Exploitation Wave
First reported
Last updated
Happening score
H score 55
1 unique sources, 2 articles

Summary

Hide ▲

Cisco ASA and FTD appliances are still under an active exploitation wave for CVE-2025-20333 and CVE-2025-20362, with a new attack variant now causing unexpected reloads and DoS on unpatched systems. Cisco said on November 5, 2025 that the variant targets Cisco Secure ASA Software and Cisco Secure FTD Software releases affected by the same flaws, while CISA earlier ordered U.S. federal agencies to secure affected firewalls within 24 hours. Shadowserver is tracking over 34,000 internet-exposed vulnerable instances, underscoring that the exposed population remains large despite patching.

Related Happenings

Cisco Secure Workload REST API patch release (CVE-2026-20223)

Security Patch Release
First: 22.05.2026 08:36 Last: 22.05.2026 08:36 Sources 1

About this happening: Cisco patched **CVE-2026-20223**, a **CVSS 10.0** Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...

Open Happening

Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)

Vulnerability
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...

Open Happening

Cisco ThousandEyes and Nexus security patches

Security Patch Release
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

Cisco security patch release for CVE-2026-20182

Security Patch Release
First: 14.05.2026 20:45 Last: 14.05.2026 20:45 Sources 1

About this happening: Cisco released **updates** for **CVE-2026-20182**, a **maximum-severity authentication bypass** in **Catalyst SD-WAN Controller/Manager**, after the flaw was **exploited in limite...

Open Happening

Timeline

  1. 30.09.2025 19:58 3 articles · 7mo ago

    Cisco ASA and FTD exploitation wave expands across tens of thousands of exposed appliances

    Campaign Scope Update

    Cisco warned on September 25 that CVE-2025-20333 and CVE-2025-20362 were actively exploited against internet-exposed Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances, with attacks starting before patches were available and no workarounds available. The Shadowserver Foundation later found more than 48,800 ASA and FTD instances still vulnerable, CISA issued an emergency directive giving FCEB agencies 24 hours to identify compromised devices and upgrade those remaining in service, and the U.K. NCSC said the attackers deployed the Line Viper shellcode loader followed by the RayInitiator GRUB bootkit.

    Show sources
    Open in new tab