Full Report
Plus 2 new critical vulns - patch now Cisco warned customers about another wave of attacks against its firewalls, which have been battered by intruders for at least six months. It also patched two critical bugs in its Unified Contact Center Express (UCCX) software that aren't under active exploitation - yet.…
Analysis Summary
# Vulnerability: Cisco Firewall Active Exploitation and Critical UCCX Flaws
## CVE Details
- CVE ID: CVE-2025-20333 (Firewall, under active attack)
- CVE ID: CVE-2025-20362 (Firewall, under active attack)
- CVE ID: CVE-2025-20354 (UCCX Critical)
- CVE ID: CVE-2025-20358 (UCCX Critical)
- CVSS Score: N/A (Scores not explicitly listed for firewall CVEs, but noted as critical)
- CVSS Score for CVE-2025-20354: 9.8 (Critical)
- CVSS Score for CVE-2025-20358: 9.4 (Critical)
- CWE: N/A (For firewall CVEs); Improper Authentication (Likely for UCCX)
## Affected Systems
- Products: Cisco Secure ASA Software, Cisco Secure FTD Software (Firewalls)
- Products: Cisco Unified Contact Center Express (UCCX)
- Versions: Releases affected by CVE-2025-20333 and CVE-2025-20362 (Specific versions not detailed in the summary but implied to be unpatched prior to September fixes).
- Versions for UCCX: Prior to 12.5 SU3 ES07 or 15.0 ES01.
- Configurations: UCCX vulnerabilities affect the software regardless of device configuration.
## Vulnerability Description
**Firewalls (CVE-2025-20333 & CVE-2025-20362):** These flaws have been continuously exploited since May 2025. A "new attack variant" reported on November 5, 2025, causes unpatched firewalls to continually reload, resulting in Denial-of-Service (DoS). Attackers have used these vulnerabilities (including zero-days) to deploy malware, execute malicious commands, and potentially steal data. Advanced techniques include disabling logging and crashing devices for diagnostics prevention. In some instances, persistence was established even after reboots or upgrades via the ROM Monitor (ROMmon) bootstrap program.
**UCCX (CVE-2025-20354):** A flaw in the Java Remote Method Invocation (RMI) process stemming from improper authentication. Successful exploitation allows an attacker to upload a crafted file, execute arbitrary OS commands, and elevate privileges to root.
**UCCX (CVE-2025-20358):** An authentication bypass vulnerability due to improper authentication between the CCX Editor and the Unified CCX server. Attackers can redirect the authentication flow to a malicious server, tricking the system into believing authentication was successful, allowing execution of arbitrary scripts as a non-root user.
## Exploitation
- Status: **CVE-2025-20333/20362 (Firewalls):** Exploited in the wild since at least May 2025; "new attack variant" is currently active.
- Status: **CVE-2025-20354/20358 (UCCX):** Not under active exploitation *yet*, but patching is strongly advised.
- Complexity: High (Inferred due to required advanced evasion techniques linked to a state-backed group, UAT4356).
- Attack Vector: Network (Implied, typically for firewall exploitation).
## Impact
- Confidentiality: High (Implied by data theft potential in firewall exploitation).
- Integrity: High (Arbitrary command execution, root compromise on UCCX, malware/command execution on firewalls).
- Availability: High (Firewalls subject to continuous reload/DoS conditions; system compromise).
## Remediation
### Patches
- **Firewalls (ASA/FTD):** Patches were originally released in September 2025 to address the underlying flaws exploited by the series of attacks. Customers must ensure they have installed these specific fixes to prevent the "new attack variant."
- **UCCX:** Upgrade to fixed software release: **12.5 SU3 ES07** or **15.0 ES01**.
### Workarounds
- No specific workarounds were provided in the summary text for the firewall flaws (due to active exploitation). It is implied that applying the September patches is the required action.
- No specific workarounds were provided for the UCCX flaws.
## Detection
- **Indicators of Compromise (Firewall Exploitation):**
- Devices continually reloading/crashing unexpectedly.
- Evidence of disabled logging mechanisms.
- Malicious files or unauthorized commands being executed.
- Persistence mechanisms found in the ROM Monitor (ROMmon) state after reboots/upgrades.
- **Detection Methods and Tools:** Requires detailed forensic analysis of firewall logs and system states, focusing on anomalies related to system crashes and command execution.
## References
- Vendor advisories (Referencing Cisco Security Advisories published November 5, 2025).
- [Cisco Security Advisory Link (Defanged)]: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN7h7mQ (Reference to the UCCX advisory)