This alert has been written for technical IT teams and services supporting organisations.

This alert contains a combination of simple and moderately complex technical advice, intended for business owners and technical IT support services.

Background

ASD’s ACSC is aware of targeting of multiple vulnerabilities within Australia impacting Cisco ASA 5500-X Series models, that are running Cisco ASA Software or FTD software:

• CVE-2025-20333 (Critical) – A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
• CVE-2025-20363 (Critical) – A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device.
• CVE-2025-20362 (Medium) – A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that should otherwise be inaccessible without authentication.

A number of versions of Cisco software releases are affected, including those within the following ranges:

• Cisco ASA Software releases 9.12 to 9.23x and;
• Cisco FTD Software releases 7.0 to 7.7x.

Please see https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks for specific version details.

Cisco reports active exploitation of these vulnerabilities has been observed globally.

Mitigation advice

Australian organisations should consult the below for investigation and remediation advice: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Affected organisations should investigate and monitor connected environments for potential malicious activity.

Current advice for determining ROMMON compromise
please note this is specific to versions 9.12 and 9.14. please continue to consult https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

During the initial boot following upgrade to patched versions, the messages Bootloader verification failed at address and/or ROMMON verification failed at address will indicate compromise. Further, a file called firmware-update.log will be written to disk0, or this file will be updated if it already exists.

In cases of suspected or confirmed compromise on any Cisco ASA 5500-X Series device, all configuration elements of the device should be considered untrusted and Cisco guidance should be followed.

Where to get help

If you identify any malicious activity or confirm compromise when implementing the mitigation advice, please contact ASD Assist via 1300 CYBER1 (1300 292 371) or asd.assist@defence.gov.au. We have prepared additional technical guidance to support your follow-on investigation, which will be provided to those with a confirmed compromise.