Cisco ASA VPN auth bypass active

Cisco firewall bugs are usually patch-and-move stories. This one isn’t. The important update is not just that Cisco ASA and FTD had a VPN-side auth-bypass bug — CVE-2025-20362 — but that U.S. and U.K. defenders now say attackers used it in a real intrusion chain that ended with persistent malware on perimeter gear. That changes the mental model. A patched VPN box may still be a compromised box. ### What is CVE-2025-20362, exactly? It’s a flaw in the VPN web server on Cisco Secure Firewall ASA and Secure Firewall Threat Defense. The bug lets an unauthenticated remote attacker send crafted HTTP requests and reach restricted remote-access VPN URL endpoints that should require authentication. In plain English — the device can be tricked into exposing pieces of the VPN surface before login. Cisco published the advisory on September 25, 2025, rated it CVSS 6.5, and said there are no workarounds — only fixed software. (sec.cloudapps.cisco.com) ### Why is that more serious than it sounds? Because CISA and Cisco are not treating CVE-2025-20362 as a standalone nuisance bug. They tie it to CVE-2025-20333 in the same campaign. CISA added both to the Known Exploited Vulnerabilities catalog on September 25, 2025 and ordered federal agencies to identify exposed Cisco ASA and Firepower devices, collect memory, and start compromise analysis immediately. That is the government saying: this was not theoretical. (sec.cloudapps.cisco.com) ### What changed in April 2026? CISA published a malware analysis report for FIRESTARTER on April 23, 2026 and updated its emergency directive the same day. The new piece was persistence. CISA and the U.K. NCSC said an APT actor exploited CVE-2025-20333 and CVE-2025-20362 to gain initial access and deploy FIRESTARTER on Cisco Firepower and Secure Firewall devices. Cisco also said the actor had developed a previously unknown persistence mechanism that could survive upgrading to the fixed September 2025 releases. (cisa.gov) ### So patching wasn’t enough? Not if the box was already compromised. That’s the catch. Cisco’s April 2026 advisory says the persistence lives in FXOS, the base operating system on affected hardware platforms, and is preserved across upgrades to the fixed releases. CISA said plainly that patching actions on compromised devices did not necessarily remove an existing threat actor. So there are really two jobs here — stop new exploitation, and separately prove the device is clean. (cisa.gov) ### How did FIRESTARTER hang on? Cisco Talos says FIRESTARTER manipulates the boot process through the Cisco Service Platform mount list, then re-injects itself into the LINA process, which is a core ASA/FTD component. The useful analogy is a burglar who also rewires the alarm panel before leaving — you can lock the front door later, but the tampering is already inside the house. Talos also says a hard reboot — basically pulling power, not a graceful reboot — removes this transient implant. (cisa.gov) ### Which devices are in the danger zone? Cisco says the persistence issue affects Firepower 1000, 2100, 4100, and 9300 series, plus Secure Firewall 1200, 3100, and 4200 series, regardless of configuration. It says ASA 5500-X, Secure Firewall 200 and 6100, virtual ASA, ISA3000, and Secure Firewall Threat Defense Virtual are not affected by this specific persistence mechanism. That distinction matters because “Cisco firewall” is too broad to be useful in incident response. (blog.talosintelligence.com) ### Why are analysts calling this a perimeter story? Because the attacker path skips the old sequence. No phishing email. No laptop foothold first. The exposed firewall is the foothold. Once that clicks, the defensive lesson gets harsher — MFA on the VPN portal and healthy endpoints are still good, but they do not save you if the gateway itself is subverted below the login flow. (sec.cloudapps.cisco.com) ### What should teams do now? Treat any internet-exposed ASA or FTD device with past exposure to these bugs as a hunt target, not just a patch target. Cisco says upgrade to fixed releases for the vulnerabilities. CISA says use the FIRESTARTER YARA rules against a disk image or core dump, report findings, and start incident response if compromise is confirmed. Segment critical systems behind the firewall, but don’t assume the firewall is a trustworthy boundary until you verify it. (sec.cloudapps.cisco.com) The bottom line is simple — CVE-2025-20362 matters because it was part of a real chain that turned perimeter appliances into long-lived beachheads. If you only patched, you solved tomorrow’s exploit. You may not have solved yesterday’s intrusion. (sec.cloudapps.cisco.com)