Attacks continue to threaten thousands of vulnerable Cisco ASA, FTD devices

BleepingComputer reports that more than 48,800 internet-exposed Cisco Adaptive Security Appliance and Firewall Threat Defense devices remain at risk to intrusions involving the actively exploited flaws, tracked as CVE-2025-20362 and CVE-2025-20333.

The U.S. accounted for most of the IP addresses susceptible to intrusions, followed by the UK, Japan, Germany, Russia, Canada, and Denmark, according to The Shadowserver Foundation. Cisco recently reported that active exploitation of the bugs started before the patches were released to users. The vulnerabilities allow attackers to execute arbitrary code and access restricted VPN-related URL endpoints remotely without requiring authentication.

While there are no full workarounds available, temporary protective measures include limiting VPN web interface exposure and enhancing logging and monitoring for unusual VPN logins and crafted HTTP requests.

The Cybersecurity and Infrastructure Security Agency called the risks severe and ordered federal agencies to check for compromised ASA and FTD devices within 24 hours and update those still in use. They also advised removing end-of-support ASA devices from federal networks by the end of September.