Cisco Warns of Critical Firewall Vulnerabilities Exploited in Zero-Day Attacks

Cisco Warns of Critical Firewall Vulnerabilities Exploited in Zero-Day Attacks

Cisco has identified and addressed multiple critical security flaws in its firewall and contact center software, including two zero-day vulnerabilities actively exploited in attacks. These flaws pose significant risks to network infrastructure, enabling denial-of-service (DoS) conditions, unauthorized access, and arbitrary code execution.

Key Vulnerabilities and Exploits

1. Firewall Software Vulnerabilities

• CVE-2025-20333 (CVSS 9.8)

  • Impact: Allows attackers to execute arbitrary code as root via crafted HTTP requests.
  • Exploitation: Used in zero-day attacks to deliver malware like RayInitiator and LINE VIPER.
  • Disclosure: Identified by the U.K. NCSC in late September 2025.

• CVE-2025-20362 (CVSS 8.9)

  • Impact: Enables access to restricted URLs without authentication, potentially exposing sensitive data.
  • Exploitation: Also exploited as a zero-day before disclosure.

• Consequences: Unpatched devices may experience unexpected reloads, leading to DoS conditions and operational disruptions.

2. Unified Contact Center Express (Unified CCX) Vulnerabilities

• CVE-2025-20354 (CVSS 9.8)

  • Impact: Exploits Java RMI process to upload arbitrary files and execute root-level commands.
  • Fixed in: Cisco Unified CCX 12.5 SU3 ES07 and 15.0 ES01.

• CVE-2025-20358 (CVSS 9.4)

  • Impact: Bypasses authentication in the CCX Editor, allowing attackers to create and execute arbitrary scripts with administrative privileges.

• Discovery: Reported by security researcher Jahmel Harris.

3. Identity Services Engine (ISE) DoS Vulnerability

• CVE-2025-20343 (CVSS 8.6)

  • Impact: Unauthenticated attackers can trigger unexpected device restarts via crafted RADIUS access requests.
  • Cause: Logic error in processing RADIUS messages for rejected MAC addresses.

• Mitigation: Patches released for affected ISE versions.

Recommendations for Mitigation

• Apply Patches Immediately: Cisco urges users to update all affected systems to the latest versions (e.g., 12.5 SU3 ES07, 15.0 ES01).
• Monitor for Unusual Activity: Detect unauthorized access attempts or unexpected device reboots.
• Segment Networks: Isolate critical systems to limit the blast radius of potential exploits.
• Enable Intrusion Detection Systems (IDS): Use tools to identify and block malicious traffic patterns associated with these vulnerabilities.
• Avoid Delaying Updates: Despite no confirmed in-the-wild exploitation, timely patching is critical to prevent future attacks.

Reference

https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html