Number: AL25-012
Date: September 25, 2025
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Canadian Centre for Cyber Security (Cyber Centre) is aware of exploitation targeting Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that are running Cisco Secure Firewall ASA Software with VPN web services enabled.
On September 25, 2025, Cisco published security advisories for critical vulnerabilities, CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363, affecting the following ASA and Cisco Secure Firewall Threat Defense (FTD) software release products:
- Cisco ASA software release 9.12 – versions prior to 9.12.4.72
- Cisco ASA software release 9.14 – versions prior to 9.14.4.28
- Cisco ASA software release 9.16 – versions prior to 9.16.4.85
- Cisco ASA software release 9.17 – versions prior to 9.17.1.45
- Cisco ASA software release 9.18 – versions prior to 9.18.4.67
- Cisco ASA software release 9.19 – versions prior to 9.19.1.42
- Cisco ASA software release 9.20 – versions prior to 9.20.4.10
- Cisco ASA software release 9.22 – versions prior to 9.22.2.14
- Cisco ASA software release 9.23 – versions prior to 9.23.1.19
- Cisco FTD software release 7.0 – versions prior to 7.0.8.1
- Cisco FTD software release 7.1 – all versions
- Cisco FTD software release 7.2 – versions prior to 7.2.10.2
- Cisco FTD software release 7.3 – all versions
- Cisco FTD software release 7.4 – versions prior to 7.4.2.4
- Cisco FTD software release 7.6 – versions prior to 7.6.2.1
- Cisco FTD software release 7.7 – versions prior to 7.7.10.1
For further details on affected versions and available fixed releases, please refer to the following Cisco advisoriesFootnote 1Footnote 2Footnote 3.
CVE-2025-20333 is a vulnerability affecting the ASA and FTD software, that could allow an authenticated remote threat actor to execute arbitrary code on affected devicesFootnote 1.
CVE-2025-20362 is a vulnerability affecting the ASA and FTD software, that could allow an unauthenticated remote threat actor to access URL endpoints that should otherwise be inaccessible without authenticationFootnote 2.
CVE-2025-20363 is a vulnerability affecting the ASA, FTD, Cisco IOS, Cisco IOS XE and Cisco IOS XR software, that could allow an unauthenticated remote threat actor (ASA and FTD) or authenticated remote one (Cisco IOS, IOS XE and IOS XR) with low user privileges to execute arbitrary code on affected devicesFootnote 3.
All these vulnerabilities are due to improper validation of user supplied input in HTTP(S) requests.
In response to these vulnerabilities, the Cyber Centre released AV25-619 on September 25Footnote 4.
Suggested actions
The Cyber Centre strongly recommends that organizations running Cisco ASA and FTD products upgrading to a fixed release software versionFootnote 5.
Organizations upgrading an ASA 5500-X Series model to 9.12.4.72 or 9.14.4.28 should refer to Cisco’s Bootloader and/or ROMMON Verification Failure proceduresFootnote 6. If the “firmware-update.log” file is found on “disk0:” after upgrading to a fixed release, organizations are encouraged to preserve the log file and notify the Cyber Centre using the contact information below. Instructions regarding transfer of the log file will be provided as part of the follow-up engagement.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 7.
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.