On 25 September 2025, Cisco released fixes for two vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) that are currently being actively exploited by a sophisticated threat actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities by 12 PM EDT on September 26. Agencies are also required to assess compromise via CISA-provided procedures and submit core dump(s).
- CVE-2025-20333: A critical vulnerability allowing authenticated remote threat actors to execute code on an unpatched device. Exploitation requires crafted HTTP requests with valid VPN credentials.
- CVE-2025-20362: A medium-severity vulnerability allowing remote, unauthenticated threat actors to access restricted URL endpoints by sending crafted HTTP requests to a targeted web server.
Additionally, a third vulnerability of critical severity, CVE-2025-20363, was patched. This vulnerability allows unauthenticated, remote threat actors to execute arbitrary code on Cisco ASA and FTD software, or authenticated, remote threat actors with low user privileges to execute arbitrary code on Cisco IOS, IOS XE, and IOS XR software. Cisco has not indicated that CVE-2025-20363 has been exploited in the wild at the time of writing.
CVE-2025-20352
Earlier this week, on 24 September Cisco also patched a high-severity, exploited vulnerability impacting Cisco IOS, tracked as CVE-2025-20352. The flaw resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and Cisco IOS XE software and can be exploited by remote, authenticated threat actors sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. The vulnerability affects all devices with SNMP enabled, with impacts ranging from a denial of service with low privileges to remote code execution with high privileges.
Recommendation
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release.
| Product | Vulnerability | Fixed Release |
| Cisco ASA | CVE-2025-20333, CVE-20362, CVE-2025-20363 | Customers can use Cisco’s Software Checker to verify if they are running an affected product and update to the fixed release. |
| Cisco FTD | CVE-2025-20333, CVE-20362, CVE-2025-20363 | |
| Cisco IOS/IOS XE | CVE-2025-20363, CVE-2025-20352 | |
| Cisco IOS XR | CVE-2025-20363 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Collect Cisco Device Artifacts and Outputs
Before upgrading the device to the latest fixed version, collect all artifacts and outputs outlined by CISA to determine whether there are signs of compromise on the Cisco device. Follow the listed steps in the exact order provided to avoid triggering the threat actor’s anti-forensics measures. Any deviation could destroy forensic data and make confirming exploitation or assessing impact more difficult.
Note: Software versions after 9.17.1.40, 9.18.4.41, 9.19.1.32, and 9.20+ are likely not impacted by this campaign as the WebVPN file-upload handler used by the threat actor was removed from those versions.
References
Resources
Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report.
See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster.
