Full Report
Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web are vulnerable to two vulnerabilities actively leveraged by hackers. [...]
Analysis Summary
# Vulnerability: Actively Exploited Remote Code Execution in Cisco ASA/FTD
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362 (Specific CVSS scores not provided in detail, but severity is implied as critical given CISA directive and active exploitation)
- CVSS Score: Not explicitly provided, but implied High/Critical due to Remote Code Execution and active exploitation.
- CWE: Not specified.
## Affected Systems
- Products: Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances.
- Versions: Unspecified vulnerable versions; administrators must consult vendor advisories based on their specific deployments.
- Configurations: Appliances exposed on the public web capable of VPN access (likely impacting WebVPN components mentioned in reference links).
## Vulnerability Description
Two distinct vulnerabilities exist in Cisco ASA and FTD appliances that allow for **arbitrary code execution** and **access to restricted URL endpoints** associated with VPN access. Both flaws can be exploited **remotely without authentication**. Active exploitation has been observed, with attackers deploying malware such as 'Line Viper' and the 'RayInitiator' GRUB bootkit following successful exploitation.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by Cisco and CISA alerts).
- Complexity: Implied **Low** as exploitation is remote and unauthenticated.
- Attack Vector: **Network** (Remote, unauthenticated access to exposed appliances).
## Impact
- Confidentiality: High (Potential unauthorized access to restricted URLs and system compromise).
- Integrity: High (Arbitrary code execution allows for system modification and malware installation).
- Availability: High (System compromise by malware like bootkits can lead to denial of service or persistent backdoor access).
## Remediation
### Patches
- Customers are urged to apply Cisco's recommended patches for CVE-2025-20333 and CVE-2025-20362 immediately. (Specific patch versions must be referenced from vendor advisories).
### Workarounds
- **No official workarounds exist** according to the advisory.
- **Temporary hardening steps:**
1. Restrict exposure of the VPN web interface to only necessary networks.
2. Increase logging and monitoring for suspicious VPN logins and crafted HTTP requests.
- For Federal Civilian Executive Branch (FCEB) agencies, ASA devices reaching End of Support (EoS) must be disconnected from the network immediately as per CISA directives.
## Detection
- **Indicators of Compromise (IOCs):** Presence of 'Line Viper' shellcode loader malware or the 'RayInitiator' GRUB bootkit on compromised endpoints.
- **Detection methods and tools:** Increased monitoring for suspicious VPN login activity and malformed/crafted HTTP requests targeting the devices. Organizations should follow CISA's directive to identify any compromised instances.
## References
- Vendor Advisory 1: hxxp://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
- Vendor Advisory 2: hxxp://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
- NCSC Malware Analysis Report: hxxps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf