Cisco has issued a critical security alert, warning users of a new attack variant targeting its Secure Firewall appliances. This campaign exploits two specific vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which can cause unpatched devices to crash and create a denial-of-service (DoS) condition, disrupting network operations.
Exploited Vulnerabilities in Firewall Software
The networking giant disclosed that it became aware of an attack method designed for devices running vulnerable versions of its Cisco Secure Firewall ASA and FTD software. While the company initially disclosed these flaws in late September 2025, evidence suggests they were exploited as zero-days prior to the public announcement.
According to the UK’s National Cyber Security Centre (NCSC), these same vulnerabilities were used in earlier attacks to deliver notorious malware families like RayInitiator and LINE VIPER. This connection underscores the active threat these flaws pose.
A Breakdown of the Firewall Threats
The two vulnerabilities present distinct but serious risks to network integrity:
- CVE-2025-20333: This critical flaw allows a remote attacker to execute arbitrary code with root-level privileges by sending crafted HTTP requests to a targeted device.
- CVE-2025-20362: This vulnerability enables an unauthenticated attacker to access a restricted URL on the system, potentially exposing sensitive information or providing an initial foothold.
Cisco’s advisory strongly urges all customers to apply the available security updates immediately to mitigate these threats.
Critical Flaws Patched in Contact Center Software
In the same security update wave, Cisco addressed two critical vulnerabilities in its Unified Contact Center Express (Unified CCX) platform. These flaws could allow an unauthenticated, remote attacker to take complete control of an affected system.
The company credited security researcher Jahmel Harris for discovering these issues. The patched vulnerabilities are:
- CVE-2025-20354 (CVSS: 9.8): A flaw in the Java RMI process that allows an attacker to upload arbitrary files and execute commands with root permissions.
- CVE-2025-20358 (CVSS: 9.4): An authentication bypass in the CCX Editor application that lets an attacker gain admin rights to create and execute malicious scripts on the underlying OS.
These have been fixed in Cisco Unified CCX Release 12.5 SU3 ES07 and Release 15.0 ES01.
Additional High-Severity DoS Flaw Addressed
Cisco also released a patch for a high-severity denial-of-service vulnerability (CVE-2025-20343, CVSS: 8.6) in its Identity Services Engine (ISE). This flaw could allow an unauthenticated attacker to cause a vulnerable device to restart unexpectedly by sending a specific sequence of crafted RADIUS access request messages.
