Full Report
Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. "This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service
Analysis Summary
# Vulnerability: Cisco Firewall Denial of Service via CVE-2025-20333 and CVE-2025-20362 Exploitation
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362 (Note: Severity scores for these two specific CVEs were not provided in the context, but exploitation leads to DoS.)
- CVSS Score: N/A (Cisco reports a new attack variant targeting these, leading to DoS)
- CWE: N/A
## Affected Systems
- Products: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software.
- Versions: Releases susceptible to CVE-2025-20333 and CVE-2025-20362 (Specific versions are detailed in the respective vendor advisories).
- Configurations: Devices utilizing the vulnerable WebVPN components targeted by these CVEs.
## Vulnerability Description
Cisco has identified a new attack variant that leverages the flaws documented in CVE-2025-20333 and CVE-2025-20362.
* **CVE-2025-20333:** Successful exploitation allows an attacker to execute arbitrary code as `root` by sending crafted HTTP requests.
* **CVE-2025-20362:** Allows an attacker to access a restricted URL without authentication.
The combination or triggering of these vulnerabilities in unpatched devices can cause unexpected system reloads, resulting in a Denial-of-Service (DoS) condition.
## Exploitation
- Status: Exploited in the wild (These vulnerabilities were disclosed as zero-days exploited in attacks delivering malware such as RayInitiator and LINE VIPER).
- Complexity: Medium (Implied by remote exploitation and potential RCE capabilities of the underlying issues).
- Attack Vector: Network (Implied by the nature of firewall vulnerabilities and remote attacks).
## Impact
- Confidentiality: Potentially High (Due to the RCE capability of CVE-2025-20333, though the immediate publicized impact is DoS).
- Integrity: Potentially High (Due to the RCE capability of CVE-2025-20333).
- Availability: High (The documented effect of the new attack variant is unexpected device reload leading to Denial-of-Service).
## Remediation
### Patches
- Customers urged to apply the updates released by Cisco addressing the underlying CVEs as soon as possible. (Specific fixed versions must be sourced from Cisco Security Advisories for CVE-2025-20333 and CVE-2025-20362).
### Workarounds
- No specific workarounds were stated in the provided context, but patching is strongly recommended due to active exploitation.
## Detection
- Indicators of compromise: Presence of successful exploitation leading to device reloads or evidence of malware (RayInitiator or LINE VIPER) deployment on targeted firewalls.
- Detection methods and tools: Monitoring logs for activity related to the WebVPN functionality that aligns with exploitation patterns for the underlying CVEs.
## References
- Vendor Advisories:
- hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB (For CVE-2025-20333)
- hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW (For CVE-2025-20362)
- Relevant links:
- (Reference to prior September disclosure): hxxps://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html
- (Reference to malware utilized): hxxps://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html