Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Aussie cyber agency warns of “targeting of multiple vulnerabilities within Australia” as Cisco says active exploitation underway.
Technology giant Cisco disclosed a suite of vulnerabilities in its firewall devices, warning that active exploitation is underway and catching the attention of cyber security agencies around the world.
Both the US Cybersecurity & Infrastructure Security Agency and the Australian Signals Directorate’s Australian Cyber Security Centre are warning of the potential compromise of the impacted devices, with the ACSC saying that Australian organisations were already coming under fire.
“ASD’s ACSC is aware of targeting of multiple vulnerabilities within Australia impacting Cisco ASA 5500-X Series models, that are running Cisco ASA Software or FTD software,” the ACSC said in a September 25 Critical Alert.
Meanwhile, CISA has issued an Emergency Directive calling on all US federal agencies to immediately identify all instances of Cisco ASA and Cisco Firepower devices, and to collect memory data from those devices to be sent to CISA for immediate forensic analysis.
Cisco has disclosed three vulnerabilities, two rated Critical and one Medium.
CVE-2025-20333 is a Critical vulnerability in the VPN web server of both Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This bug could allow an attacker, once authenticated, to execute arbitrary code remotely.
CVE-2025-20363 is another Critical vulnerability in the same software, but also impacting Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. Exploiting this vulnerability could lead to the same outcome as above.
Finally, CVE-2025-20362 is a Medium vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance Software and Cisco Secure Firewall Threat Defense Software that could allow a remote threat actor to access restricted URL endpoints.
Cisco has said it has seen evidence of threat actors using ROM Monitor to maintain persistence even in the face of reboots.
“During our forensic analysis of confirmed compromised devices, in some cases, Cisco has observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades,” Cisco said in its September 25 disclosure.
“These modifications have been observed only on Cisco ASA 5500-X Series platforms that were released prior to the development of Secure Boot and Trust Anchor technologies; no CVE will be assigned to the lack of Secure Boot and Trust Anchor technology support on these platforms. Cisco has not observed successful compromise, malware implantation, or the existence of a persistence mechanism on platforms that support Secure Boot and Trust Anchors.”
Analysts at cyber security firm Rapid7, however, have warned that two of the vulnerabilities may be chained together for even greater impact.
"The Cisco advisory for CVE-2025-20333 states that the vulnerability is authenticated, requiring valid VPN user credentials. However, CISA’s KEV entry for CVE-2025-20333 explicitly states that it can be chained with the missing authorisation vulnerability CVE-2025-20362, which is unauthenticated," Rapid7 said in a blog post.
"As such, it would be reasonable to assume that it’s possible to exploit CVE-2025-20333 without credentials by chaining it with CVE-2025-20362."
The following Cisco ASA 5500-X Series models are impacted and have been successfully compromised:
5512-X and 5515-X – Last Date of Support: August 31, 2022
5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025
5585-X – Last Date of Support: May 31, 2023
The ACSC recommends that all Australian organisations using the impacted devices follow Cisco’s advice and upgrade supported devices as soon as possible.
You can learn more about these vulnerabilities and Cisco’s remediation advice here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
