Arctic Wolf

Arctic Wolf Customer,

Cisco has fixed multiple vulnerabilities affecting Cisco ASA, FTD, and IOS, including critical and exploited flaws. Customers using these products are strongly advised to review the security bulletin and upgrade to the latest patched release for their impacted systems.

Summary

On September 25, 2025, Cisco released fixes for two vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) that are currently being actively exploited by a sophisticated threat actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities by 12 PM EDT on September 26. Agencies are also required to assess compromise via CISA-provided procedures and submit core dump(s).

  • CVE-2025-20333: A critical vulnerability allowing authenticated remote threat actors to execute code on an unpatched device. Exploitation requires crafted HTTP requests with valid VPN credentials.
  • CVE-2025-20362: A medium-severity vulnerability allowing remote, unauthenticated threat actors to access restricted URL endpoints by sending crafted HTTP requests to a targeted web server.

Additionally, a third vulnerability of critical severity, CVE-2025-20363, was patched. This vulnerability allows unauthenticated, remote threat actors to execute arbitrary code on Cisco ASA and FTD software, or authenticated, remote threat actors with low user privileges to execute arbitrary code on Cisco IOS, IOS XE, and IOS XR software. Cisco has not indicated that CVE-2025-20363 has been exploited in the wild at the time of writing.

CVE-2025-20352

Earlier this week, on September 24, Cisco also patched a high-severity, exploited vulnerability impacting Cisco IOS, tracked as CVE-2025-20352. The flaw resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and Cisco IOS XE software and can be exploited by remote, authenticated threat actors sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. The vulnerability affects all devices with SNMP enabled, with impacts ranging from a denial of service with low privileges to remote code execution with high privileges.

Arctic Wolf is actively investigating activity surrounding this ongoing campaign and exploring detections in our platform that will allow us to detect tactics, techniques, and procedures (TTPs) used in the campaign. Confirmed malicious activity will be escalated directly to customers as incidents.

Arctic Wolf has assessed our own environment for impact from these vulnerabilities and have determined that we are not affected.

Recommendation

Upgrade to the Latest Fixed Versions

Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions.

Product   Vulnerability Fixed Release
Cisco ASA CVE-2025-20333, CVE-20362, CVE-2025-20363
Cisco FTD CVE-2025-20333, CVE-20362, CVE-2025-20363 Customers can use Cisco’s Software Checker to verify if they are running an affected product and update to the fixed release.
Cisco IOS/IOS XE CVE-2025-20363, CVE-2025-20352
Cisco IOS XR CVE-2025-20363

Please follow your organization’s patching and testing guidelines to minimize potential operational impact.

Collect Cisco Device Artifacts and Outputs

Before upgrading the device to the latest fixed version, collect all artifacts and outputsoutlined by CISA to determine whether there are signs of compromise on the Cisco device. Follow the listed steps in the exact order provided to avoid triggering the threat actor’s anti-forensics measures. Any deviation could destroy forensic data and make confirming exploitation or assessing impact more difficult.

Note: Software versions after9.17.1.40,9.18.4.41,9.19.1.32, and 9.20+ are likely not impacted by this campaign as the WebVPN file-upload handler used by the threat actor was removed from those versions.

References

If you have any additional questions, please reach out to your CST at security@arcticwolf.com.

Thank you,
Arctic Wolf


Follow us:

.