Cisco Zero-Day Attack: Exploited ASA & IOS flaws threaten global networks

Cisco is facing a series of critical zero-day vulnerabilities, which are actively being exploited. These flaws affect two of Cisco’s most foundational product lines - Cisco Adaptive Security Appliances (ASA) and devices running Cisco IOS and IOS XE software.

The business implications here are severe. Both vulnerabilities target "gateway" devices that serve as the last line of defence for a network, allowing attackers to bypass authentication and gain a foothold inside. This isn't about a single breached account; it is about a compromised infrastructure, which can lead to data theft, persistent access for espionage, or the deployment of ransomware. The fact that an advanced threat group has found a way to bypass Duo MFA on ASA devices should be a wake-up call for the industry.

Cisco ASA: The VPN and Firewall Zero-Day

The Cisco ASA vulnerability is a chain of two flaws: CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5). The attack begins with the medium-severity CVE-2025-20362, an unauthorised access flaw in the VPN web server. It allows an unauthenticated attacker to bypass authentication and reach a restricted URL. This sets up the critical CVE-2025-20333, an improper input validation vulnerability that allows a remote attacker to achieve remote code execution (RCE) as root on the device. Attackers can exploit this by sending specially crafted HTTP requests to the VPN web server. This is a highly effective chain because it moves from an unauthenticated entry point to a full system takeover. This attack specifically targets SSL listen sockets enabled by remote access VPN features like AnyConnect and SSL VPN.

Mitigation

Cisco has released fixed software versions. The only true remediation is to patch immediately to a fixed release. CISA has issued an emergency directive with a 2^nd October deadline for federal agencies to either patch their devices or take them offline, a timeline that should be a guide for all organisations. Organisations with older, end-of-life (EOL) ASA hardware, which does not support modern security features like Secure Boot and Trust Anchors, should prioritise permanently disconnecting these devices.

Cisco IOS/IOS XE: The SNMP Zero-Day

This is a completely separate vulnerability, CVE-2025-20352 (CVSS 8.6), that affects the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE. The flaw is a stack-based buffer overflow that is triggered when an attacker sends a crafted SNMP packet to a vulnerable device. If an attacker has low privileges (e.g., an SNMP read-only community string), they can cause a denial of service (DoS) by forcing the device to reload. With high privileges, they can achieve remote code execution (RCE) as root, gaining complete control of the system. This vulnerability is particularly dangerous because SNMP is often enabled and exposed on networks for monitoring purposes, making it a prime target.

Mitigation

There are no workarounds that fully fix the issue. The primary mitigation is to patch immediately to a fixed software release. If immediate patching is not an option, security teams should:

1. Restrict SNMP Access: Apply ACLs to limit SNMP access to only trusted management hosts.
2. Harden Management Plane: Ensure management interfaces for SSH, HTTPS, and SNMP are isolated on an internal VLAN and not exposed to untrusted or internet-facing networks.
3. Detect & Hunt: Actively monitor logs for unusual SNMP queries, unauthorised configuration changes, or new local accounts.

A call to action

These two parallel zero-day campaigns demonstrate that attackers are shifting their focus to network gateways and core infrastructure. This requires network administrators to adopt an equally aggressive and proactive posture. One should not wait for a patch, but must assume a breach and work to contain it. The urgency from CISA can be the best guiding principle.