Cisco Firewalls Under Siege: 2024 Zero-Day Flaws Trigger DoS Attacks on ASA & FTD
Executive Summary
In June 2024, Cisco disclosed that two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls were being weaponized in the wild. Attackers leveraged these flaws (CVE-2024-20353 and CVE-2024-20359) to trigger repeated reboot loops, effectively causing Denial-of-Service (DoS) on critical network perimeter defenses. Initial exploitation began as targeted zero-days, but attackers quickly adopted the flaws in larger campaigns, dramatically impacting the availability and security of organizations relying on Cisco ASA or FTD devices.
The incident underscores a growing trend of targeting infrastructure security devices as a primary attack vector, especially given the rise of ransomware actors and APT groups seeking disruption over data theft. Exploitation of device vulnerabilities for DoS attacks highlights the heightened urgency for rapid patching and robust segmentation in modern enterprise environments.
Why This Matters Now
The ongoing exploitation of Cisco's firewall vulnerabilities illustrates how attackers are shifting tactics toward critical infrastructure disruption, not just data exfiltration. With these widely used firewalls under active attack and exploitation techniques evolving rapidly, organizations must accelerate patch management and reassess their perimeter defense strategies immediately.
Attack Path Analysis
Attackers exploited zero-day vulnerabilities in exposed Cisco ASA and FTD firewalls to gain initial access, circumventing perimeter defenses. Following the compromise, the adversaries leveraged the appliance privileges but did not escalate significantly due to the nature of the device. Lateral movement was minimally involved, as the focus was on inducing disruptive states in the target firewall rather than infiltrating deeper into the network. The attackers established command and control through crafted network packets targeting firewall management interfaces. Exfiltration was not the primary goal; instead, the attackers sought to deny service by crashing or rebooting the firewalls. The campaign culminated in repeated denial-of-service, causing large-scale disruption and loss of network availability.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited zero-day flaws in Internet-exposed Cisco ASA and FTD firewall appliances, enabling remote access to system processes.
Related CVEs
CVE-2025-20333
CVSS 9.9A buffer overflow vulnerability in the webvpn component of Cisco ASA and FTD software allows an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.
Affected Products:
Cisco Adaptive Security Appliance (ASA) – 9.8.x through 9.20.1
Cisco Firepower Threat Defense (FTD) – 6.2.2 through 7.4.1.1
Exploit Status:
exploited in the wildCVE-2025-20362
CVSS 6.5A vulnerability in the webvpn component of Cisco ASA and FTD software allows an unauthenticated, remote attacker to bypass authentication and execute arbitrary code.
Affected Products:
Cisco Adaptive Security Appliance (ASA) – 9.8.x through 9.20.1
Cisco Firepower Threat Defense (FTD) – 6.2.2 through 7.4.1.1
Exploit Status:
exploited in the wildCVE-2024-20359
CVSS 6A vulnerability in a legacy capability of Cisco ASA and FTD software allows an authenticated, local attacker to execute arbitrary code with root-level privileges.
Affected Products:
Cisco Adaptive Security Appliance (ASA) – 9.4.4.34, 9.6.4.25, 9.8.4, 9.9.2.50, 9.10.1.17
Cisco Firepower Threat Defense (FTD) – 6.2.3.12, 6.3.0.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Data Manipulation
Exploit Public-Facing Application
Access Token Manipulation
Service Stop
Hardware Additions
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of system components vulnerable to known attacks
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 10
CISA ZTMM 2.0 – Patch Vulnerable Infrastructure Devices
Control ID: Infrastructure: Devices – 4.12
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Cisco firewall DoS attacks threaten critical infrastructure protection, potentially disrupting encrypted traffic capabilities and zero trust segmentation required for PCI compliance.
Health Care / Life Sciences
ASA/FTD firewall vulnerabilities expose patient data protection systems, compromising HIPAA-mandated encrypted traffic and east-west traffic security for medical networks.
Government Administration
Infrastructure attacks on Cisco firewalls create significant national security risks, potentially compromising secure hybrid connectivity and threat detection capabilities for government networks.
Telecommunications
Firewall reboot loops from exploited vulnerabilities threaten service availability and multicloud visibility, potentially disrupting critical communications infrastructure and egress security controls.
Sources
- Cisco: Actively exploited firewall flaws now abused for DoS attackshttps://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/Verified
- Cisco Event Response: Continued Attacks Against Cisco Firewallshttps://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacksVerified
- Cisco Warns of Hackers Actively Exploiting ASA and FTD 0-day RCE Vulnerability in the Wildhttps://cybersecuritynews.com/cisco-asa-and-ftd-0-day-rce-vulnerability/Verified
- Cisco Warns of Active Exploitation of ASA and FTD 0-Day Vulnerabilityhttps://www.esecurityplanet.com/threats/cisco-warns-of-active-exploitation-of-asa-and-ftd-0-day-vulnerability/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular east-west isolation, and inline IPS controls would have reduced the attack surface, detected abnormal traffic targeting the firewall, and restricted the ability for attackers to repeatedly disrupt firewall operations. Enhanced visibility, coupled with automated policy enforcement, could have identified and blocked malicious traffic patterns at multiple stages.
Control: Zero Trust Segmentation
Mitigation: Restricted external network access to only legitimate sources, reducing exposure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detections of unusual privilege or system manipulations on appliances.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized workload-to-workload communication from appliance segments.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of known malicious exploit traffic patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data flows to external destinations.
Immediate anomaly detection and response to device outages.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive network configurations and user credentials due to unauthorized access and code execution on affected devices.
Recommended Actions
Key Takeaways & Next Steps
- • Harden perimeter appliances with Zero Trust segmentation to eliminate unnecessary external access.
- • Deploy inline IPS (e.g., Suricata) for real-time detection and blocking of exploit traffic targeting critical infrastructure.
- • Enforce strict east-west controls and microsegmentation to prevent any lateral movement from compromised devices.
- • Implement centralized visibility and anomaly detection across multicloud and hybrid environments to enable rapid identification of outages.
- • Review and routinely test egress policy enforcement to prevent data exposure and limit attack impact during appliance-level compromise.
