Attackers Exploiting VPN and Web Services to Gain Root Access — CISA Issues Emergency Directive
Two critical zero-day vulnerabilities in Cisco’s firewall technologies—ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense)—are currently being actively exploited in the wild, prompting an emergency directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Cisco confirmed the vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which could allow attackers to bypass authentication, gain root access, and even tamper with device memory.
The most critical of the two flaws, CVE-2025-20333, carries a CVSS score of 9.9 and affects ASA and FTD devices configured with remote access VPNs. An authenticated attacker can exploit this vulnerability by sending a specially crafted HTTPS request, allowing them to execute arbitrary code on the device with root privileges. This level of access could allow complete takeover of the device.
The second flaw, CVE-2025-20362, with a CVSS score of 6.5, allows an unauthenticated attacker to access sensitive, restricted URLs. While not as severe as CVE-2025-20333, it could be used in combination to gain deeper access or escalate privileges.
Cisco warns that these vulnerabilities can be chained together, enabling attackers to bypass authentication protections and gain high-level access to firewall systems. More alarmingly, the attackers are reportedly able to modify the device’s read-only memory (ROM)—a serious red flag for firmware-level persistence. This means that even a device reboot or firmware update may not fully remove the attacker’s presence.
These attacks are not theoretical. Cisco confirms that real-world exploitation is already underway, and evidence suggests a sophisticated, state-sponsored threat actor may be behind the campaign.
Leave A Comment