Full Report
Discover the top 16 exploited vulnerabilities from September 2025, including critical Cisco and TP-Link flaws, malware-linked CVEs, and actionable threat intelligence from Recorded Future’s Insikt Group.
Analysis Summary
# Vulnerability: Cisco ASA & FTD Remote Code Execution and Persistence via Chained Flaws
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362 (Multiple, analyzed together as part of an active threat campaign)
- CVSS Score: Not explicitly provided, but noted as Very Critical/Critical and part of an actively exploited campaign.
- CWE: CWE-121 (Buffer Overflow), CWE-862 (Missing Authorization)
## Affected Systems
- Products: Cisco Adaptive Security Appliance (ASA) 5500-X series, Cisco Secure Firewall ASA and FTD (Legacy devices mentioned).
- Versions: Firmware versions 9.12(4)67 and 9.14(4)24 (specifically those without secure boot and with VPN web services enabled).
- Configurations: Affected devices must have VPN web services enabled.
## Vulnerability Description
This involves a chain of two vulnerabilities exploited actively in the wild to deploy malware (RayInitiator bootkit and LINE VIPER shellcode):
1. **CVE-2025-20333 (Buffer Overflow/RCE):** A buffer overflow vulnerability due to improper validation of user-supplied input in HTTP(S) requests to Cisco web services. A **remote, authenticated attacker** with valid VPN credentials can achieve Remote Code Execution (RCE).
2. **CVE-2025-20362 (Missing Authorization):** A flaw in the VPN web server resulting from improper validation of user-supplied input in HTTP(S) requests. This allows a **remote, unauthenticated attacker** to access a restricted URL via crafted HTTP requests.
When chained, these flaws allow an unauthenticated, remote threat actor to gain complete control over vulnerable VPN and WebVPN services. Post-exploitation, threat actors modify the GRUB bootloader or ROMMON (on some non-Secure-Boot models) to hook firmware/kernel loading paths and ensure persistence across reboots and upgrades via the RayInitiator bootkit.
## Exploitation
- Status: **Exploited in the wild** (Associated with malware campaigns deploying RayInitiator and LINE VIPER).
- Complexity: Likely **Medium** due to the chaining requirement, although the initial components may be straightforward (one requires auth, the other does not).
- Attack Vector: **Network** (Remote exploitation via HTTP(S) requests to VPN services).
## Impact
- Confidentiality: **High** (Implied by complete control and malware deployment).
- Integrity: **High** (Modification of firmware/bootloaders/ROMMON for persistence).
- Availability: **High** (Risk of denial of service or persistent compromise).
## Remediation
### Patches
- Cisco released patches to fix CVE-2025-20333 and CVE-2025-20362 on September 25, 2025. Users should consult Cisco advisories for specific patched versions.
### Workarounds
- As the vulnerability campaign targets devices *without* secure boot and with VPN web services enabled, enabling Secure Boot capability (if available and applicable to the specific model/firmware) is a key defensive measure.
- Disabling VPN web services entirely if not required.
## Detection
- **Indicators of Compromise (IoCs):** Presence of RayInitiator bootkit or LINE VIPER shellcode on affected ASA devices. Anomalies in firmware/bootloader integrity checks.
- **Detection Methods and Tools:** CISA added these CVEs to its Known Exploited Vulnerabilities (KEV) catalog on September 25, 2025. NCSC and Cisco published a technical analysis with indicators. Monitoring outbound connections or unusual process execution related to boot stages. Nuclei templates may be available via Recorded Future platform access for testing.
## References
- UK NCSC/US CISA/Cisco Technical Analysis (Reported September 25, 2025)
- CISA KEV Catalog entry for CVE-2025-20333 and CVE-2025-20362
- Vendor Advisories: Cisco Security Advisories for CVE-2025-20333 and CVE-2025-20362 (defanged: hxxps://www[.]cisco[.]com/...)