Roughly 48,800 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web are vulnerable to two vulnerabilities actively leveraged by hackers.
The flaws, tracked as CVE-2025-20333 and CVE-2025-20362, enable arbitrary code execution and access to restricted URL endpoints associated with VPN access. Both security issues can be exploited remotely without authentication.
On September 25, Cisco warned that the issues were actively exploited in attacks that started before patches were available to customers.
No workarounds exist for either flaw, but temporary hardening steps could include restricting VPN web interface exposure and increasing logging and monitoring for suspicious VPN logins and crafted HTTP requests.
Today, threat monitoring service The Shadowserver Foundation reports that its scans discovered 48,800 internet-exposed ASA and FTD instances that are still vulnerable to CVE-2025-20333 and CVE-2025-20362.
Most of the IPs are located in the United States (more than 19,200 endpoints), followed by the United Kingdom (2,800), Japan (2,300), Germany (2,200), Russia (2,100), Canada (1,500), and Denmark (1,200).
Global exposure of unpatched Cisco ASA/FTD devices
Source: The Shadowserver Foundation
These figures are as of yesterday, September 29, indicating a lack of appropriate response to the ongoing exploitation activity, as well as previous warnings.
Notably, Greynoise had warned on September 4 about suspicious scans that occurred as early as late August, targeting Cisco ASA devices. In 80% of the cases, these scans are an indication of upcoming undocumented flaws in the targeted products.
... continue reading