Close Menu
    Subscribe
    Alerts

    AL25-012 – Vulnerabilities impacting Cisco ASA and FTD devices – CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363 – Update 1

    adminBy No Comments6 Mins Read


    Number: AL25-012
    Date: September 25, 2025
    Updated: April 23, 2026

    Audience

    This Alert is intended for IT professionals and managers of notified organizations.

    Purpose

    An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

    Details

    The Canadian Centre for Cyber Security (Cyber Centre) is aware of exploitation targeting Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that are running Cisco Secure Firewall ASA Software with VPN web services enabled.

    On September 25, 2025, Cisco published security advisories for critical vulnerabilities, CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363, affecting the following ASA and Cisco Secure Firewall Threat Defense (FTD) software release products:

    • Cisco ASA software release 9.12 – versions prior to 9.12.4.72
    • Cisco ASA software release 9.14 – versions prior to 9.14.4.28
    • Cisco ASA software release 9.16 – versions prior to 9.16.4.85
    • Cisco ASA software release 9.17 – versions prior to 9.17.1.45
    • Cisco ASA software release 9.18 – versions prior to 9.18.4.67
    • Cisco ASA software release 9.19 – versions prior to 9.19.1.42
    • Cisco ASA software release 9.20 – versions prior to 9.20.4.10
    • Cisco ASA software release 9.22 – versions prior to 9.22.2.14
    • Cisco ASA software release 9.23 – versions prior to 9.23.1.19
       
    • Cisco FTD software release 7.0 – versions prior to 7.0.8.1
    • Cisco FTD software release 7.1 – all versions
    • Cisco FTD software release 7.2 – versions prior to 7.2.10.2
    • Cisco FTD software release 7.3 – all versions
    • Cisco FTD software release 7.4 – versions prior to 7.4.2.4
    • Cisco FTD software release 7.6 – versions prior to 7.6.2.1
    • Cisco FTD software release 7.7 – versions prior to 7.7.10.1

    For further details on affected versions and available fixed releases, please refer to the following Cisco advisoriesFootnote 1Footnote 2Footnote 3.

    CVE-2025-20333 is a vulnerability affecting the ASA and FTD software, that could allow an authenticated remote threat actor to execute arbitrary code on affected devicesFootnote 1.

    CVE-2025-20362 is a vulnerability affecting the ASA and FTD software, that could allow an unauthenticated remote threat actor to access URL endpoints that should otherwise be inaccessible without authenticationFootnote 2.

    CVE-2025-20363 is a vulnerability affecting the ASA, FTD, Cisco IOS, Cisco IOS XE and Cisco IOS XR software, that could allow an unauthenticated remote threat actor (ASA and FTD) or authenticated remote one (Cisco IOS, IOS XE and IOS XR) with low user privileges to execute arbitrary code on affected devicesFootnote 3.

    All these vulnerabilities are due to improper validation of user supplied input in HTTP(S) requests.

    In response to these vulnerabilities, the Cyber Centre released AV25-619 on September 25Footnote 4.

    Update 1

    On April 23, 2026, Cisco Talos released a blog post Footnote 8 and Cisco published a security advisory Footnote 9 identifying a previously unknown persistence method that remains intact even after upgrading to a patched version released in September 2025. The persistence mechanism is embedded in the Cisco Firepower eXtensible Operating System (FXOS) Software base operating system for Cisco Secure Firewall ASA Software and Cisco Secure FTD Software installations on the affected hardware.

    The Cybersecurity and Infrastructure Security Agency (CISA) created the Emergency Directive document V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices Footnote 10 and along with the United Kingdom National Cyber Security Centre (NCSC), published a FIRESTARTER Backdoor Malware Analysis Report Footnote 11 on April 23, 2026.

    The Cyber Centre recommends organizations review the Cisco advisory, identify if indicators of compromise are present on their devices, and apply the identified workarounds, including reimaging the device to a known fixed version.

    Affected products and versions:

    Secure Firewall ASA Software

    • Cisco ASA software release 9.16 – versions prior to 9.16.4.92
    • Cisco ASA software release 9.18 – versions prior to 9.18.4.135
    • Cisco ASA software release 9.20 – versions prior to 9.20.4.30
    • Cisco ASA software release 9.22 – versions prior to 9.22.3.5
    • Cisco ASA software release 9.23 – versions prior to 9.23.1.195
    • Cisco ASA software release 9.24 – versions prior to 9.24.1.155

    Secure FTD Software

    • Cisco FTD software release 7.0 – versions prior to 7.0.9 Hotfix FZ-7.0.9.1-3
    • Cisco FTD software release 7.2 – versions prior to 7.2.11 Hotfix HI-7.2.11.1-1
    • Cisco FTD software release 7.4 – versions prior to 7.4.7
    • Cisco FTD software release 7.6 – versions prior to 7.6.4 Hotfix CC-7.6.4.1-1
    • Cisco FTD software release 7.7 – versions prior to 7.7.11 Hotfix AE-7.7.11.1-4
    • Cisco FTD software release 10 – versions prior to 10.0.0 Hot Fix (Target 4/30/2026)

    Firepower 4100 and 9300 Security Appliance

    • Cisco Firepower 4100 and 9300 Security Appliance 2.10 – versions prior to 2.10.1.383
    • Cisco Firepower 4100 and 9300 Security Appliance 2.12 – versions prior to 2.12.1.117
    • Cisco Firepower 4100 and 9300 Security Appliance 2.14 – versions prior to 2.14.3.125
    • Cisco Firepower 4100 and 9300 Security Appliance 2.16 – versions prior to 2.16.2.119
    • Cisco Firepower 4100 and 9300 Security Appliance 2.17 – versions prior to 2.17.0.549
    • Cisco Firepower 4100 and 9300 Security Appliance 2.18 – versions prior to 2.18.0.535

    End of Update 1

    Suggested actions

    The Cyber Centre strongly recommends that organizations running Cisco ASA and FTD products upgrading to a fixed release software versionFootnote 5.

    Organizations upgrading an ASA 5500-X Series model to 9.12.4.72 or 9.14.4.28 should refer to Cisco’s Bootloader and/or ROMMON Verification Failure proceduresFootnote 6. If the “firmware-update.log” file is found on “disk0:” after upgrading to a fixed release, organizations are encouraged to preserve the log file and notify the Cyber Centre using the contact information below. Instructions regarding transfer of the log file will be provided as part of the follow-up engagement.

    In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 7.

    If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

    References



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.