News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. Multiple vulnerabilities affecting Cisco ASA devices

Multiple vulnerabilities affecting Cisco ASA devices

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

11:30am, 26 September 2025

TLP Rating: Clear

Multiple vulnerabilities affecting Cisco ASA devices

The NCSC is aware of reports of active exploitation of these devices.

Further information about detecting possible compromise of these devices is included below.

  • CVE-2025-20333 (CVSS 9.9): A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
  • CVE-2025-20363 (CVSS 9.0): A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device.
  • CVE-2025-20362 (CVSS 6.5): A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.

What's happening

Systems affected

The following software versions are affected by the vulnerabilities:
  • Cisco ASA Software releases 9.12 to 9.23
  • Cisco FTD Software releases 7.0 to 7.7
The Cisco advisory also mentions several end-of-life Cisco ASA 5500-X models that are now or soon will be out of support.
Organisations using these devices should migrate to supported options as soon as possible.

What to look for

How to tell if you're at risk

The NCSC is aware of attacks leveraging the above vulnerabilities and recommends organisations who upgraded a Cisco ASA 5512-X, 5515-X, 5525-X, 5545-X, or 5555-X device to Cisco ASA Software Release 9.12.4.72 or 9.14.4.28 assess for signs of compromise.

How to tell if you're affected

Signs of compromise to look for are:

  • During the initial boot following the upgrade, look for the messages Bootloader verification failed at address and/or ROMMON verification failed at address. 
  • In this case, a file called firmware_update.log would be written to disk0 and should be looked for.

The presence of the above messages or file could indicate that the persistence mechanism observed in this attack campaign was present on the device prior to the upgrade to Cisco ASA Software Release 9.12.4.72 or 9.14.4.28.

Note: if firmware_update.log is written to disk0 the device will be rebooted to load a clean system immediately after upgrade.

More information

The NCSC also encourages organisations to review the vendor detection guide External Link for more information.

Our NCSC-UK partners have detailed a significant malware analysis report External Link based on the likely exploitation of these devices.

If your organisation identifies any sign of compromise, please report it to us.