Cisco has issued a critical warning regarding a new attack variant targeting its Secure Firewall products. The threat exploits previously disclosed zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which can lead to unpatched devices unexpectedly reloading and causing denial-of-service (DoS) conditions. Cybersecurity professionals are urged to apply the latest updates to their Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software immediately.
The vulnerabilities, first disclosed in late September 2025, have already been leveraged in the wild as part of attacks delivering malware such as RayInitiator and LINE VIPER, according to reports from the U.K. National Cyber Security Centre (NCSC). Successful exploitation of CVE-2025-20333 allows attackers to execute arbitrary code with root privileges through crafted HTTP requests. Concurrently, CVE-2025-20362 enables unauthorized access to restricted URLs without proper authentication, creating significant security risks for organizations relying on these firewall solutions.
Cisco Addresses Multiple Firewall and Unified Communications Vulnerabilities
This alert comes as Cisco also patches two critical security flaws impacting its Unified Contact Center Express (Unified CCX) platform. These vulnerabilities could grant unauthenticated, remote attackers the ability to upload arbitrary files, bypass authentication mechanisms, execute arbitrary commands, and ultimately elevate their privileges to root access. Security researcher Jahmel Harris was credited by Cisco for discovering and reporting these significant shortcomings.
Critical Flaws in Unified Contact Center Express
The first of these Unified CCX vulnerabilities, designated CVE-2025-20354, carries a CVSS score of 9.8, indicating its severity. This flaw resides within the Java Remote Method Invocation (RMI) process of Unified CCX. Exploitation allows an attacker to upload files and execute commands with root permissions on compromised systems. The second, CVE-2025-20358, with a CVSS score of 9.4, affects the Contact Center Express (CCX) Editor application. This vulnerability permits attackers to bypass authentication and gain administrative permissions, enabling them to create and execute arbitrary scripts on the underlying operating system.
These critical issues affecting the Unified CCX platform have been addressed in specific software releases. Cisco Unified CCX Release 12.5 SU3 and earlier are fixed in version 12.5 SU3 ES07. For Cisco Unified CCX Release 15.0, the fix is available in 15.0 ES01.
In addition to the firewall and contact center vulnerabilities, Cisco has also released patches for a high-severity denial-of-service (DoS) bug, CVE-2025-20343. This vulnerability, with a CVSS score of 8.6, impacts the Identity Services Engine (ISE). It could allow an unauthenticated, remote attacker to trigger an unexpected restart of a susceptible device. The issue stems from a logic error in how Cisco ISE processes RADIUS access requests for MAC addresses that have already been rejected as endpoints.
While Cisco has not reported any evidence of these three security flaws being actively exploited in the wild, the company strongly advises all users to implement the available updates as soon as possible. Proactive patching is essential to maintain robust security posture and prevent potential disruptions.
The ongoing discovery and exploitation of zero-day vulnerabilities underscore the dynamic nature of the cybersecurity landscape. Organizations are encouraged to maintain vigilance, regularly review security advisories from vendors, and prioritize the timely application of security patches to safeguard their critical infrastructure and sensitive data. The next steps involve ensuring all affected Cisco devices are updated to the latest secure versions to mitigate these risks.