Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 65
2 unique sources, 5 articles

Summary

Hide ▲

Cisco ASA/FTD vulnerabilities CVE-2025-20333 and CVE-2025-20362 are still under active exploitation and can be chained for unauthenticated remote control of affected firewalls. CISA has told U.S. federal agencies to fully patch Cisco ASA and Firepower devices, while Emergency Directive 25-03 requires immediate remediation across agency networks. Cisco previously said the flaws were used as zero-days against 5500-X Series devices with VPN web services enabled, and Shadowserver now tracks over 30,000 vulnerable devices.

Related Happenings

CISA KEV order for Copy Fail on federal Linux devices

Public Sector Action
First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...

Open Happening

Federal civilian executive branch agency hit by network compromise

Incident
First: 24.04.2026 23:34 Last: 24.04.2026 23:34 Sources 1

About this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...

Open Happening

FIRESTARTER malware on Cisco ASA and FTD devices

Malware Activity
First: 23.04.2026 15:00 Last: 23.04.2026 15:00 Sources 1

How related: an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called FIRESTARTER.

About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...

Latest development: 24.04.2026 23:34

CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.

Open Happening

CISA KEV directive for CVE-2026-20133

Public Sector Action
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...

Open Happening

CISA KEV listing and FCEB patch order for Ivanti EPMM

Public Sector Action
First: 08.04.2026 21:15 Last: 08.04.2026 21:15 Sources 1

About this happening: **CISA** added **CVE-2026-1340** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Ivanti Endpoint Manager Mobile (EPMM)** by **Saturday midnight, April 11**, forcin...

Open Happening

Timeline

  1. 24.04.2026 20:06 2 articles · 1mo ago

    Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

    Initial Disclosure

    **CVE-2025-20333** and **CVE-2025-20362** were exploited in a **2025 campaign** against **Cisco ASA** firmware, giving attackers a route to **code execution** and **restricted-endpoint access** on affected appliances.

    Show sources
    Open in new tab
  2. 30.09.2025 19:58 1 articles · 7mo ago

    Shadowserver finds 48,800 vulnerable Cisco ASA and FTD instances exposed

    Detection Ioc Update

    Threat monitoring by The Shadowserver Foundation found more than 48,800 internet-exposed Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) instances still vulnerable to CVE-2025-20333 and CVE-2025-20362, including large concentrations in the United States, the United Kingdom, Japan, Germany, Russia, Canada, and Denmark.

    Show sources
    Open in new tab
  3. 26.09.2025 08:51 1 articles · 8mo ago

    NCSC details RayInitiator and LINE VIPER on Cisco ASA 5500-X devices

    Technical Analysis Update

    The U.K. National Cyber Security Centre (NCSC) said threat actors exploited CVE-2025-20362 and CVE-2025-20333 in zero-day attacks against Cisco ASA 5500-X Series devices, using the RayInitiator GRUB bootkit to load LINE VIPER for command execution, packet captures, VPN AAA bypass, syslog suppression, CLI command harvesting, and delayed reboots.

    Show sources
    Open in new tab
  4. 25.09.2025 20:52 2 articles · 8mo ago

    CISA issues emergency directive for Cisco ASA and Firepower devices

    Legal Policy Action Update

    CISA issued Emergency Directive 25-03 for Federal Civilian Executive Branch agencies, ordering them to inventory Cisco ASA and Firepower devices, collect forensics, disconnect compromised systems, and patch CVE-2025-20333 and CVE-2025-20362 by 12 PM EDT on September 26. The directive also requires agencies to permanently disconnect end-of-support ASA devices by September 30 after zero-day exploitation against Cisco firewall devices.

    Show sources
    Open in new tab