- 50,000 Cisco firewalls vulnerable to actively exploited RCE flaws CVE-2025-20333 and 20362
- Cisco and CISA urge immediate patching; no workarounds available for affected ASA/FTD devices
- Shadowserver found 48.8K unpatched IPs; top affected countries include USA, UK, and Germany
Around 50,000 internet-connected Cisco firewalls are vulnerable to two actively exploited flaws, granting threat actors unauthenticated remote code execution (RCE), as well as full control over compromised devices.
Cisco recently released patches for CVE-2025-20333 and CVE-2025-20362, two bugs plaguing its Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) solutions.
The former is a buffer overflow vulnerability with a 9.9/10 (critical) severity score, while the latter is a missing authorization flaw with a 6.5/10 (medium) severity score.
USA most affected
In the security advisory, Cisco urged customers to apply the patch as soon as possible, stating that it is aware of “attempted exploitation” in the wild.
“Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” it said.
At the same time, The Shadowserver Foundation, a nonprofit global cybersecurity data organization, shared on X that as of September 30, there are almost 50,000 exposed endpoints:
“Attention! Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in our Vulnerable HTTP reporting. Over 48.8K unpatched IPs found on 2025-09-29. Top affected: USA,” the tweet reads. At press time, the US had 19,610 exposed instances, followed by the UK with 2,834, and Germany with 2,392.
Right now, the best way to mitigate the threat is to apply the patch, especially since there are no workarounds. BleepingComputer reported temporary hardening steps could include restricting VPN web interface exposure, and increasing logging and monitoring for suspicious VPN logins and crafted HTTP requests.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently urged government agencies to address these two flaws, claiming they were being actively exploited.
As per Emergency Directive 25-03, published on September 25, 2025, CISA said there is a “widespread” attack campaign targeting Cisco Adaptive Appliances and Firepower firewall devices.
Via BleepingComputer
You might also like
- Cisco ISE maximum severity flaw lets hackers execute root code
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
