Critical Cisco Firewall Flaws Under Active Attack: What You Need to Do Now
A series of critical vulnerabilities in widely used Cisco security appliances are being actively exploited by sophisticated threat actors, prompting urgent warnings from international cybersecurity agencies. If your organization relies on Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) software, immediate action is required to protect your network from takeover.
Government agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC), have issued alerts confirming that state-sponsored hackers are leveraging these flaws to breach networks, steal data, and establish persistent access.
The Vulnerabilities Explained: A Triple Threat
The attacks target a trifecta of vulnerabilities that, when combined, can allow an attacker to gain complete control over a device. The key security flaws include:
- CVE-2024-20359: A critical remote code execution (RCE) vulnerability. This is the most severe flaw, as it allows an unauthenticated, remote attacker to run arbitrary code on the affected firewall. In simpler terms, a hacker from anywhere in the world could take over your device without needing any credentials.
- CVE-2024-20353: A denial-of-service (DoS) vulnerability. By exploiting this flaw, an attacker can remotely restart the firewall, causing a network outage and disrupting business operations. This can also be used to bypass certain security checks that occur only on startup.
- CVE-2024-20358: A persistent local code execution vulnerability. This flaw allows an attacker who already has some level of access to plant malware that survives reboots, giving them a permanent foothold within your network.
These vulnerabilities are not theoretical. Cybersecurity researchers have confirmed that a hacking group known as UAT4356 (also tracked as STORM-1849) has been exploiting these flaws in the wild since at least November 2023, deploying custom malware designed for espionage and data exfiltration.
Government Directives Underscore the Severity
The threat is so significant that CISA has added CVE-2024-20353 and CVE-2024-20359 to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that all U.S. federal civilian agencies patch their systems by a strict deadline, signaling the extreme risk posed to all organizations, both public and private.
Simultaneously, the NCSC has echoed this urgency, advising all organizations using affected Cisco products to apply security updates as an immediate priority. When government cybersecurity bodies issue coordinated, high-priority warnings, it is a clear indicator of a widespread and dangerous threat.
Actionable Steps to Secure Your Network
Patching is not optional—it is the only effective way to mitigate this threat. Simply rebooting a device is not enough and may even hide evidence of a compromise while leaving the vulnerability intact.
Follow these steps immediately to protect your infrastructure:
Identify All Affected Devices: Conduct an immediate inventory of your network to identify all firewalls running vulnerable versions of Cisco ASA and FTD software. Pay close attention to internet-facing devices, as they are the primary targets.
Apply Security Patches Now: Cisco has released software updates that address these vulnerabilities. Prioritize the patching of all affected systems. Do not delay this process. The necessary updates can be found on the official Cisco Security Advisory portal.
Hunt for Signs of Compromise: Because these flaws have been actively exploited for months, you must assume a breach is possible. Even after patching, it is crucial to investigate your systems for any indicators of compromise (IoCs). Check for:
- Unexplained system reboots or crashes.
- Unusual or unauthorized configuration changes.
- Suspicious traffic patterns or data leaving your network.
- The presence of custom malware, such as tools identified as “LINEBACK” or “LINETAP,” which are associated with this specific campaign.
The exploitation of edge devices like firewalls and VPNs remains a popular tactic for hackers, as these systems provide a direct gateway into an organization’s core network. Maintaining a proactive security posture, including timely patching and vigilant monitoring, is essential to defending against these evolving threats.
Source: https://go.theregister.com/feed/www.theregister.com/2025/09/26/cisco_firewall_flaws/
