Cisco patches 48 bugs across firewall products; notes two more SD-WAN flaws exploited

Cisco on March 4 released patches for 48 vulnerabilities in Cisco Secure Firewall ASA, Secure Firewall Management Center (FMC) and Secure Firewall Threat Defense (FTD) software.

Of special note in yesterday’s release were the patches for two 10.0 maximum-severity flaws in Secure FMC software that lets administrators manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.

Cisco also pointed out that two more Catalyst SD-WAN Manager flaws were exploited in the wild, news that was updated from the original advisory on Feb. 25.

“This comes at a time when global edge infrastructure is under sustained and aggressive attack,” said Gene Moody, Field CTO at Action1. “In the current geopolitical climate, with elevated nation-state activity and rising tensions involving Western interests and war in the Middle East, internet-facing security appliances are first-strike targets.”

Related reading:

Moody said his team has been seeing mass scanning and automated exploitation at a scale that was once reserved for major zero-day events. Threat actors, including well-resourced state aligned groups, continuously sweep the internet for vulnerable edge devices within hours of disclosures, said Moody.

“When flaws enable authentication bypass or root level code execution, the risk is existential,” said Moody. “An attacker does not just gain a foothold; they gain control of the control plane.”

Collin Hogue-Spears, senior director of solution management at Black Duck, said the SD-WAN campaign and these Secure FMC vulnerabilities follow identical logic: Attackers are targeting the management consoles that push policy to every device on the network.

“Compromise one controller, and you rewrite routing or firewall rules across hundreds of branch offices without touching a single endpoint,” said Hogue-Spears. “Both product families share the same architectural weakness: centralized control built for operational efficiency, not adversarial resilience.”

Hogue-Spears added that defenders keep hardening individual firewalls and patching individual routers, but our adversaries skip over that.

“An attacker who owns your Firewall Management Center does not bypass your perimeter,” said Hogue-Spears. “They log into the console and order every firewall in the organization to stand down. The SD-WAN zero-day proved the same logic on the routing side: seize the controller, own the fabric. Two different Cisco product lines, two different vulnerability classes, one identical attacker objective: control the management plane and let the managed devices do the damage for you.”

While the industry needs to take these advisories seriously, Jeff Liford, associate director at Fenix24, pointed out that regarding the broader disclosure: 25 advisories covering 48 vulnerabilities sounds large, but it’s not necessarily unusual.

Liford said vendors frequently bundle fixes into coordinated security releases.

“In many cases, vendors may already be aware of vulnerabilities internally, and once a vulnerability becomes public or begins appearing in real-world attacks, the patch timeline can accelerate,” said Liford. “Additionally, shared code libraries and upstream dependencies can cause clusters of vulnerabilities to be disclosed together. More broadly, the firewall industry has experienced significant security pressure over the past year. Most major vendors have released multiple critical patches during this period.”