Cisco ASA Active Exploitation - 20250926001

Overview

Important Note: This is distinct from our previous advisory on Cisco IOS, IOS XE, and Meraki published on 25 September 2025.

Cisco has published an event responce advisory regarding their engagement with multiple government agencies. This investigation was regarding attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

What is vulnerable?

This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and have one or more of the vulnerable configurations.

Affected Product(s) and Version(s)	CVE	CVSS	Severity
Vendor listed affected products and configurations	CVE-2025-20333 CVE-2025-20363 CVE-2025-20362	9.9 9.0 6.5	Critical Critical Medium

What has been observed?

Cisco reports active exploitation of these vulnerabilities has been observed globally. The Australian Signals Directorate (ASD) has published an advisory on this activity intended for business owners and technical IT support services. The WASOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.

Recommendation

The WASOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):

• Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
• ASD Advisory: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/multiple-vulnerabilities-affecting-cisco-asa-5500-x-series-devices