Full Report
Cisco warned this week that two vulnerabilities, which have been exploited in zero-day attacks, are now being abused to force ASA and FTD firewalls into reboot loops. [...]
Analysis Summary
This summary focuses on the two vulnerabilities chained together that are now being exploited for DoS attacks, as detailed in the provided context.
# Vulnerability: Cisco ASA/FTD Firewall DoS via Chained Exploitation (CVE-2025-20362 & CVE-2025-20333)
## CVE Details
- **CVE ID:** CVE-2025-20362 and CVE-2025-20333 (Chained)
- **CVSS Score:** Not explicitly provided for the chain or the new DoS variant, but the underlying flaws were critical/high given the RCE potential.
- **CWE:** Not explicitly provided.
## Affected Systems
- **Products:** Cisco Secure Firewall ASA Software and Cisco Secure FTD Software (Devices running these with VPN web services enabled were initially targeted).
- **Versions:** Unpatched releases prior to the September 25 fixes. (Note: Specific version numbers are omitted in the source but patching resolves the issue).
- **Configurations:** Devices running Cisco ASA 5500-X devices with VPN web services enabled (for initial access vector).
## Vulnerability Description
The DoS condition is a *new* variant of abuse targeting devices already vulnerable to two previously disclosed flaws (patched September 25):
1. **CVE-2025-20362:** Allows remote threat actors to access restricted URL endpoints without authentication.
2. **CVE-2025-20333:** Allows authenticated attackers to gain Remote Code Execution (RCE).
When chained, these two vulnerabilities previously allowed unauthenticated attackers to gain complete control. The new attack variant exploits these same underlying weaknesses to cause unpatched devices to unexpectedly reload, resulting in a Denial of Service (DoS) condition (reboot loop).
## Exploitation
- **Status:** Exploited in the wild (Zero-day attacks initially; now being abused for DoS).
- **Complexity:** Low (Initial access using CVE-2025-20362 does not require complex authentication).
- **Attack Vector:** Network (Remote, unauthenticated for the full chain exploitation).
## Impact
- **Confidentiality:** High (When chained prior to DoS exploitation).
- **Integrity:** High (When chained prior to DoS exploitation, enabling RCE).
- **Availability:** High (Confirmed impact via the latest DoS attack variant, causing unexpected reloads/reboot loops).
## Remediation
### Patches
- Cisco released security updates on **September 25** to address the underlying flaws (CVE-2025-20362 and CVE-2025-20333). Customers are strongly urged to apply all relevant software fixes outlined in the original advisories.
### Workarounds
- **Mandate specific to EoS devices (from CISA directive):** Disconnect ASA devices reaching End of Support (EoS) from federal organization networks. (No other specific temporary mitigations listed for the DoS variant in this text).
## Detection
- **Indicators of Compromise:** Devices unexpectedly reloading or entering reboot loops.
- **Detection methods and tools:** Monitoring firewall logs for activity leveraging the endpoints related to CVE-2025-20362. Shadowserver is tracking vulnerable internet-exposed instances related to these CVE pairs.
## References
- Cisco Security Advisories released on September 25 (for underlying flaws).
- CISA Emergency Directive issued September 25.
- Vendor Advisory detailing new DoS variant (dated November 5, 2025, mentioned in the article).