I’m thrilled to sit down with Rupert Marais, our in-house security specialist with extensive expertise in endpoint and device security, cybersecurity strategies, and network management. With a deep understanding of the evolving threat landscape, Rupert is the perfect person to shed light on the critical situation surrounding vulnerabilities in Cisco ASA and FTD devices. Today, we’ll dive into the scope of these exposures, the nature of the threats, the response from national security agencies, the sophisticated tactics of the attackers, and the challenges organizations face in securing their networks. Let’s get started.
Can you walk us through the current state of Cisco ASA and FTD devices regarding these vulnerabilities and how many are still exposed to the internet?
Absolutely, the situation is quite concerning. According to the latest data from internet monitoring groups, nearly 50,000 Cisco ASA and FTD devices are still exposed to the internet and potentially vulnerable to exploitation. These are critical pieces of network infrastructure, and having so many out there unprotected is a significant risk for organizations worldwide.
Geographically, where are most of these vulnerable devices located, and why might that matter?
The majority—over 19,000 of these exposed devices—are in the United States. This concentration is noteworthy because the U.S. hosts a vast amount of critical infrastructure and sensitive data, making it a prime target for cyberattacks. Other regions have exposures too, but the sheer volume in the U.S. amplifies the potential impact of any successful exploits.
Let’s talk about the specific vulnerabilities at play here. Can you explain what CVE-2025-20333 and CVE-2025-20362 are and why they’re such a big deal?
Sure, these are two critical vulnerabilities affecting Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices. CVE-2025-20333 has a severity score of 9.9 out of 10, which is almost as bad as it gets, indicating a flaw that can be exploited remotely with no user interaction to gain full control of a device. CVE-2025-20362 scores a 6.5, which is still serious but less severe, often requiring some level of access or interaction to exploit. Together, they pose a massive threat because they’re already being actively exploited by sophisticated attackers.
Speaking of severity scores, how do these ratings of 9.9 and 6.5 help us understand the potential risks to organizations?
Severity scores, based on the CVSS system, give us a standardized way to gauge how dangerous a vulnerability is. A 9.9 score for CVE-2025-20333 means it’s a near-perfect storm—easy to exploit, no privileges needed, and devastating impact if successful, like complete system compromise. The 6.5 score for CVE-2025-20362 suggests a moderate risk, often with some barriers to exploitation, but still a real threat, especially if combined with other attack vectors. For organizations, these scores scream urgency; they’re a clear signal to prioritize patching or mitigation before attackers can capitalize.
Who’s sounding the alarm on these threats, and what kind of response have we seen from national security agencies?
Several national security agencies have stepped up with urgent warnings, including the UK’s National Cyber Security Centre (NCSC), as well as equivalents in Canada, France, and the Netherlands. These agencies are highlighting the severe threat these vulnerabilities pose to organizations, especially those managing critical infrastructure. Their coordinated advisories show how seriously they’re taking this issue on a global scale.
Focusing on the U.S., what specific actions has the Cybersecurity and Infrastructure Security Agency (CISA) taken to address this crisis?
CISA has taken a particularly strong stance by issuing a rare order to all federal civilian executive branch agencies to patch these vulnerabilities within just 24 hours. Normally, they give a three-week window for patching when a bug is added to their Known Exploited Vulnerabilities catalog. This tight deadline, along with their statement that unpatched devices pose an ‘unacceptable risk’ to government systems, underscores the immediate danger they see here.
Why do you think CISA opted for such a short 24-hour patching window instead of the usual timeframe?
I believe CISA’s decision reflects the high likelihood of exploitation and the advanced nature of the attackers already targeting these flaws. When you’ve got evidence of active exploits by sophisticated groups, every hour counts. A 24-hour mandate is their way of forcing immediate action to prevent widespread compromise, especially in government networks where the stakes—think national security and critical services—are incredibly high.
Let’s dive into the attackers behind these exploits. Who are they believed to be, and how do they connect to previous campaigns?
Reports from agencies like the NCSC and CISA point to a group likely tied to the ArcaneDoor campaign, which targeted Cisco products with zero-day exploits earlier in 2024. These attackers are considered highly advanced, probably state-sponsored or similarly resourced, given their ability to weaponize new vulnerabilities so quickly. The connection to ArcaneDoor suggests they’ve got a playbook for hitting Cisco infrastructure and are refining their approach with each attack.
What kind of malware are these attackers deploying, and how does it operate?
They’re using two nasty pieces of malware called RayInitiator and Line Viper. RayInitiator is a bootkit, meaning it embeds itself deep in a device’s boot process to maintain persistent, stealthy access even after reboots or updates. It then paves the way for Line Viper, a shellcode loader that likely executes further malicious commands or deploys additional payloads. This combo is designed to keep attackers in control of compromised systems for as long as possible.
How does the use of a bootkit like RayInitiator indicate a shift in the attackers’ tactics compared to earlier efforts?
The move to a bootkit represents a significant evolution in their tradecraft. Unlike earlier attacks in campaigns like ArcaneDoor, where persistence might have relied on less entrenched methods, a bootkit ensures they’re almost impossible to dislodge without a full system wipe or hardware replacement. It shows they’re prioritizing long-term access and stealth, likely to conduct espionage or prepare for larger-scale disruptions.
Which specific Cisco devices and software versions are at risk from these vulnerabilities?
The affected software versions include Cisco ASA versions 9.12, 9.14, 9.16 to 9.20, and 9.22 to 9.23, as well as ASA and FTD versions 7.0 to 7.4 and 7.6 to 7.7. The hardware primarily targeted includes the 5500-X-series firewalls. These are widely used in enterprise environments, so the scope of potential impact is massive if organizations don’t act swiftly.
What challenges do organizations face when dealing with devices like the 5500-X-series, especially regarding their support status?
One of the biggest headaches is that many of these 5500-X-series devices are either already end-of-life or reaching the end of security update support—some as soon as this year, others by August 2026. When a device is no longer supported, Cisco stops releasing patches for it, leaving organizations with vulnerable hardware that can’t be secured through normal means. This forces tough decisions—either replace the equipment entirely or accept a gaping security hole, neither of which is an easy fix.
What is your forecast for the future of such vulnerabilities in enterprise networking equipment like Cisco’s?
I think we’re going to see a continued uptick in these kinds of vulnerabilities being targeted, especially as attackers get better at exploiting the gap between discovery and patching. With more devices reaching end-of-life and organizations struggling to upgrade due to budget or operational constraints, the attack surface will only grow. On the flip side, I expect vendors like Cisco to push harder for built-in security features and faster patch cycles, but it’ll be a race against increasingly sophisticated threats. The key will be whether enterprises can prioritize proactive security over reactive fixes.
