Cisco Firewall DoS Attack: How CVE-2025-20333 & CVE-2025-20362 Disrupted Critical Networks
Executive Summary
In November 2025, Cisco disclosed a vulnerability exploitation campaign targeting its Secure Firewall ASA and Threat Defense (FTD) devices. Threat actors actively weaponized two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to force vulnerable appliances to unexpectedly reload, resulting in denial-of-service (DoS) conditions that disrupted network operations. Affected organizations saw service disruptions, increased operational risk, and potential visibility gaps, especially where patch management or segmentation was lacking. Cisco responded by recommending immediate updates, enhanced monitoring, and deployment of compensating security controls until all devices are patched.
This incident underscores a continuing trend of attackers rapidly exploiting unpatched firewall vulnerabilities, threatening the network perimeter’s reliability. The rise in sophisticated DoS tactics against infrastructure devices points to an urgent need for proactive patching, segmentation, and visibility into both perimeter and east-west traffic.
Why This Matters Now
Organizations rely on firewalls as critical infrastructure for boundary defense and segmentation. Unpatched Cisco devices are currently under active attack using new DoS exploit techniques, making immediate remediation essential to prevent network outages and operational downtime.
Attack Path Analysis
The attacker exploited unpatched Cisco ASA/FTD devices by leveraging CVE-2025-20333 and CVE-2025-20362 to gain initial device access. There is no clear evidence of privilege escalation or lateral movement, but it's plausible in a sophisticated environment that the attacker could attempt to pivot or exploit internal networks after access. Command and control efforts might have involved attempts to establish persistent channels or external callbacks, though these were not directly described. No data exfiltration has been reported, likely due to the Denial of Service objective. The primary impact was device reloads, causing outages and disrupting firewall and network availability.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited unpatched Cisco ASA/FTD firewall via CVE-2025-20333 and CVE-2025-20362 to gain direct access to network perimeter devices.
Related CVEs
CVE-2025-20333
CVSS 9.9A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software allows an authenticated, remote attacker to execute arbitrary code on an affected device.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – Affected versions prior to fixed releases
Cisco Secure Firewall Threat Defense (FTD) Software – Affected versions prior to fixed releases
Exploit Status:
exploited in the wildCVE-2025-20362
CVSS 8.6A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software allows an unauthenticated, remote attacker to access restricted URL endpoints related to remote access VPN.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – Affected versions prior to fixed releases
Cisco Secure Firewall Threat Defense (FTD) Software – Affected versions prior to fixed releases
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Exploitation of Remote Services
Exploit Public-Facing Application
Network Denial of Service
Acquire Infrastructure: Web Services
Command and Scripting Interpreter
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management
Control ID: Art. 8
CISA ZTMM 2.0 – Continuous Vulnerability Assessment and Patch Management
Control ID: 5.2
NIS2 Directive – Security in Network and Information Systems
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Cisco firewall vulnerabilities causing denial-of-service attacks threaten financial transaction systems, requiring immediate patching to maintain regulatory compliance and operational continuity.
Health Care / Life Sciences
Critical healthcare infrastructure faces severe disruption from Cisco ASA/FTD firewall exploits, potentially compromising patient data access and medical device connectivity.
Government Administration
Government networks using vulnerable Cisco security appliances risk service interruption and compromise of critical public services through targeted denial-of-service attacks.
Telecommunications
Telecom providers utilizing Cisco firewalls face network segmentation failures and service outages, impacting customer communications and network security infrastructure integrity.
Sources
- Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.htmlVerified
- Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUBVerified
- Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Missing Authorization Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUWVerified
- Cisco Event Response: Continued Attacks Against Cisco Firewallshttps://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Distributed Zero Trust controls—including network segmentation, inline threat detection, and resilient hybrid connectivity—could have minimized attack surface of exposed firewalls, contained blast radius, and provided rapid detection and response capabilities to limit device-level disruption and broader service outages.
Control: Cloud Firewall (ACF)
Mitigation: Limits direct perimeter exposure and enables signature-based block on known exploits.
Control: Zero Trust Segmentation
Mitigation: Restricts unauthorized access and lateral movement across network and workloads.
Control: East-West Traffic Security
Mitigation: Monitors and blocks anomalous lateral movement attempts within and across network segments.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks suspicious outbound connections and C2 activity.
Control: Egress Security & Policy Enforcement
Mitigation: Enforces strict controls on outbound traffic to untrusted destinations.
Maintains connectivity and resilience despite firewall outages.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- Remote Access Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive network configurations and user credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch all Cisco ASA/FTD devices to remediate CVE-2025-20333 and CVE-2025-20362 vulnerabilities.
- • Deploy Zero Trust Segmentation and East-West Traffic Security to contain blast radius of perimeter device compromise.
- • Implement Cloud Firewalls and Inline IPS to actively monitor and block exploit attempts at the perimeter.
- • Enforce centralized egress policy controls to reduce risk of C2 and exfiltration through compromised devices.
- • Architect for hybrid resilience with encrypted failover connectivity to minimize business impact from perimeter disruptions.
