48,000 Cisco Firewalls Remain Exposed to Active Zero-Day Attacks, Shadowserver Finds

by ddos · October 2, 2025

More than 48,000 Cisco ASA and Firepower Threat Defense (FTD) firewalls remain unprotected against two critical vulnerabilities that are already being actively exploited. Tracked as CVE-2025-20333 and CVE-2025-20362, these flaws allow remote code execution and unauthorized access to restricted VPN-related URL endpoints. Exploitation can be carried out remotely and requires no authentication.

On September 25, Cisco disclosed that attacks had begun even before patches were released. There are no viable workarounds to mitigate the risks; the only temporary measures involve restricting access to the VPN web interface and closely monitoring suspicious logins or specially crafted HTTP requests.

According to a Shadowserver Foundation scan on September 29, nearly 49,000 vulnerable devices remain exposed online. The United States accounts for the largest share, with over 19,000 instances. Other heavily impacted regions include the United Kingdom (2,800), Japan (2,300), Germany (2,200), Russia (2,100), Canada (1,500), and Denmark (1,200). These numbers underscore that many administrators have yet to respond to the warnings despite ongoing exploitation attempts.

Evidence suggests the attacks were being prepared weeks in advance. Data from Greynoise revealed suspicious scans targeting Cisco ASA on September 4, with activity traced back to late August. Historically, 80% of such scanning behavior precedes the exploitation of newly discovered vulnerabilities.

The severity of the situation was further confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an emergency directive requiring all federal agencies to audit their Cisco ASA and FTD appliances within 24 hours and apply patches to any devices intended for continued use. Systems that have reached end-of-life must be disconnected from government networks by the end of September.

The UK National Cyber Security Centre (NCSC) also released its analysis, reporting that attackers deploy the Line Viper shellcode loader onto compromised devices, followed by the RayInitiator bootkit, which launches through GRUB. This indicates a highly sophisticated threat campaign with potentially severe consequences for affected networks.

Given that exploitation of CVE-2025-20333 and CVE-2025-20362 has already persisted for over a week, Cisco urges administrators to immediately apply the available patches and thoroughly investigate their infrastructure for signs of compromise.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal