Critical Cisco Bugs Result in Thousands of Potentially Compromised Organizations
Three vulnerabilities have been identified related to Cisco's VPN and web services, enabling attackers to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
Incident Summary
- In late September 2025, Cisco disclosed three serious vulnerabilities affecting the VPN/web service components of its security and networking products (ASA, FTD, IOS, IOS XE, IOS XR).1
- Two of those (CVE‑2025‑20333, CVE‑2025‑20362) are known to be actively exploited in the wild, and have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 2
- The third (CVE‑2025‑20363) is a broadly scoped web‑service RCE potential, covering ASA/FTD as well as IOS/XE/XR platforms, and is considered critical (though not yet confirmed in observed exploitation).
- The impact is high: full device compromise, persistence, pivoting to other internal systems, and exfiltration.
- Mitigation must be fast: upgrade to the fixed software releases, conduct forensic/compromise assessments, tighten monitoring, and limit exposure of vulnerable services.
Table 1 - CVE Breakdown
Shadowserver and other scanning bodies have already enumerated tens of thousands of publicly reachable ASA/FTD instances vulnerable to the duo (20333 + 20362). Cybersecurity researcher Kevin Beaumont likewise has published recent findings related to these vulnerabilities.3
Potentially Impacted Organizations
Based on a comprehensive hands-on analysis of Beaumont’s findings, Anomali’s Threat Research team has identified many potentially exposed, vulnerable, and compromised organizations. These include:
Government
- Canadian Military
- Congressional Budget Office
- Consumer Financial Protection Bureau dot gov
- Department of Energy
- DHS
- Environment Canada
- Fermilab
- NATO
- NY State Assembly
- NY State Senate
- Office of the Superintendent of Financial Institutions, Canada
- Pacific Northwest National Laboratory
- State government agencies in Hawaii, Georgia, NY, VA and others
- Treasurer of the State of Maryland
- UK Foreign and Commonwealth Office
- UK Ministry of Defense
- UK NHS
- United States Capitol Police
- US Army
- US Census Bureau
- US Coast Guard
- US Department of Commerce
- US DOJ
- US DOT
- US House of Representatives
- US NIH
- US OMB (Max.gov)
Healthcare
- Abbvie
- Aetna
- Bayer
- Bristol Myers Squibb
- University of Chicago Medicine
- Walgreens
Finance
- ADP
- BBVA
- Brinks
- Ceridian
- Citizens Bank
- Congressional FCU
- Discover Financial
- HSBC
- KPMG
- LSEG (formerly Refinitiv)
- Mastercard
- Morgan Stanley
- MUFG
- Scotiabank
- Standard Chartered
- Transunion
- Truist
Auto and Transportation
- Cummins
- GM
- Harley Davidson
- Honda
- Hyundai
- Isuzu
- Kia
- Kubota
- Maersk
- Nissan
- Porsche
- Renault
- Toyota
- Via Rail
- Volkswagon
Defense
- Airbus Defence
- Martin-Baker
- Thales
- Westinghouse
Technology and Communications
- Alcatel-Lucent
- Apple
- C-SPAN
- CapGemeni
- Cisco
- Cognizant
- Convergys
- Deloitte
- Dish Networks
- Fijitsu
- Hisense
- Intelsat
- Iridium
- Lenovo
- Netscout
- Nokia
- NTT Data Services
- O2
- Qualys
- Sailpoint
- Sony
- TCS
- ThomsonReuters
- Trellix
- US Cellular
Conclusion
Organizations detailed in this report should immediately perform a compromise analysis and patch those devices as soon as possible. Continuing efforts to identify any potential compromises should continue, as actors who leveraged these vulnerabilities are highly sophisticated.
Organizations who have the entities listed above in their supply chain should check for network connections and abnormal activity in relation to any network connections.
Relevant Cisco Advisories
- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
Endnotes
- Cisco Systems. “ASA/FTD Continued Attacks.” Cisco Security Resources. Accessed October 6, 2025. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks.
- Cybersecurity and Infrastructure Security Agency (CISA). “Known Exploited Vulnerabilities Catalog.” U.S. Department of Homeland Security. Accessed October 6, 2025. https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
- Kevin Beaumont (@GossiTheDog). Cyberplace Social, October 2025. https://cyberplace.social/@GossiTheDog/115304693399482377.
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
