A critical alert for network security! Cisco is warning of actively exploited vulnerabilities in its firewalls, now being weaponized for Denial of Service (DoS) attacks. This is a serious situation, so let's break down what's happening and what you need to know.
Cisco recently disclosed that two specific vulnerabilities are being exploited in the wild. These flaws are targeting ASA and FTD firewalls, causing them to enter reboot loops, effectively shutting down network services. Cisco issued security updates on September 25th to address these issues. The first vulnerability, CVE-2025-20362, allows remote attackers to access restricted URL endpoints without needing to authenticate. The second, CVE-2025-20333, enables authenticated attackers to execute code remotely on vulnerable devices. When chained together, these vulnerabilities give attackers complete control over unpatched systems.
In response to the immediate threat, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, ordering U.S. federal agencies to patch their Cisco firewall devices within 24 hours. CISA also mandated the disconnection of ASA devices that have reached their end-of-support (EoS) from federal networks. This shows the urgency and severity of the situation.
But here's where it gets controversial... Threat monitoring services, like Shadowserver, are tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to these attacks. While this number is down from the nearly 50,000 unpatched firewalls spotted earlier in September, it still represents a significant risk.
Cisco has linked these attacks to the ArcaneDoor campaign, the same group behind previous exploits. This group, tracked as UAT4356 by Microsoft, used previously unknown malware, including Line Dancer and Line Runner, to maintain persistence on compromised systems. This suggests a sophisticated and persistent threat actor.
On the same day, Cisco also fixed a third critical vulnerability, CVE-2025-20363, that could allow unauthenticated attackers to execute arbitrary code remotely. However, Cisco has stated that they are not aware of any public announcements or malicious use of this vulnerability.
And this is the part most people miss... Attackers are also exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes. This highlights the evolving nature of cyberattacks and the need for constant vigilance.
More recently, Cisco released security updates to patch critical security flaws in its Contact Center software. These flaws could allow attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).
Cisco's recommendation is clear: "We strongly recommend all customers upgrade to the software fixes outlined in our security advisories." This is not a suggestion; it's a critical step to protect your network.
What are your thoughts? Do you think organizations are doing enough to keep their systems patched? Are you concerned about the potential impact of these attacks? Share your opinions in the comments below!
