Cisco has publicly disclosed a new attack variant exploiting two critical vulnerabilities in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, identified as CVE-2025-20333 and CVE-2025-20362. CVE-2025-20333 is a remote code execution vulnerability that allows attackers to execute arbitrary code with root privileges by sending specially crafted HTTP requests to vulnerable firewall devices. This capability enables attackers to gain full control over the affected system. CVE-2025-20362 permits unauthenticated access to restricted URLs, potentially exposing sensitive management interfaces or internal resources without authentication. The combined exploitation of these vulnerabilities can cause affected devices to reload unexpectedly, leading to denial-of-service (DoS) conditions that disrupt network security enforcement and connectivity. These vulnerabilities were initially disclosed in late September 2025 but had already been exploited in the wild as zero-days, delivering malware families such as RayInitiator and LINE VIPER, as reported by the UK National Cyber Security Centre (NCSC). The attack vector involves sending crafted network requests to firewall devices running susceptible software versions, with no user interaction required. Cisco has issued advisories urging customers to apply patches immediately to mitigate these risks. The vulnerabilities affect critical network security infrastructure, and successful exploitation could lead to significant operational disruption and potential further compromise of internal networks. Additionally, Cisco disclosed other critical vulnerabilities in Unified Contact Center Express and Identity Services Engine, but the primary focus here is on the firewall attack vector. No confirmed exploits in the wild have been reported since the patch release, but the prior zero-day exploitation history underscores the urgency of remediation.

For European organizations, the impact of this threat is significant due to the widespread use of Cisco Secure Firewall ASA and FTD products in enterprise and government networks across Europe. Exploitation can lead to denial-of-service conditions, causing network outages and disrupting critical business operations and security monitoring. The ability to execute arbitrary code as root elevates the risk to full system compromise, potentially allowing attackers to pivot within networks, exfiltrate sensitive data, or deploy additional malware. This is particularly concerning for sectors with high dependency on network availability and security, such as finance, telecommunications, healthcare, and government agencies. The disruption of firewall services can also degrade incident response capabilities and expose internal systems to further attacks. Given the prior use of these vulnerabilities in malware campaigns, there is a risk of coordinated attacks targeting European infrastructure. The threat could also impact managed security service providers (MSSPs) and cloud providers using Cisco firewall products, amplifying the potential scope of disruption.

European organizations should immediately verify the versions of Cisco Secure Firewall ASA and FTD software in use and apply the latest security patches released by Cisco that address CVE-2025-20333 and CVE-2025-20362. Network administrators should prioritize patching firewall devices, especially those exposed to untrusted networks or the internet. Implement strict network segmentation to limit access to firewall management interfaces and restrict HTTP access to trusted sources only. Deploy enhanced monitoring and logging for unusual HTTP requests or access attempts to restricted URLs on firewall devices. Use intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting these vulnerabilities. Conduct regular vulnerability scans and penetration tests focusing on firewall infrastructure. Establish incident response plans that include rapid isolation and recovery procedures for compromised firewall devices. Additionally, review firewall configuration and access controls to minimize attack surface. Organizations should also engage with Cisco’s security advisories and threat intelligence updates to stay informed of any emerging exploitation trends or additional mitigations.