In this week’s IT SPARC Cast, John and Lou break down a Cisco security double feature—three critical vulnerabilities impacting Cisco ASA, Cisco Secure Firewall (FTD), and Cisco Identity Services Engine (ISE). These flaws include authentication bypass, chained remote code execution, and a CVSS 10.0 root-level compromise via an undocumented ISE API.

We explain how CVE-2025-20333, CVE-2025-20362, and the newly revealed CVE-2025-20337 work, why federal agencies issued emergency patch directives, and what immediate mitigation steps enterprise defenders must take. If you manage Cisco firewalls or identity systems, this episode is mandatory listening.

00:00 - Intro

01:05 - CVEs of the Week – Cisco ASA & FTD (CVE-2025-20333 & CVE-2025-20362)

• Two actively exploited Cisco firewall vulnerabilities enable authentication bypass and chained remote code execution.

• Attackers linked to ArcaneDoor/Storm-1849 are using CVE-2025-20362 to bypass authentication, paired with CVE-2025-20333 for full RCE device takeover.

• Compromised devices show unexpected reloads, disabled logs, and firmware persistence via ROMMON modification.

• Over 50,000 ASA/FTD systems remain exposed, many still unpatched.

• Emergency guidance from CISA and NCSC stresses immediate patching, disabling WebVPN/SSL, IP whitelisting, and checking for persistence or odd CLI behavior.

• Lou and John emphasize the need for a multi-vendor firewall strategy to avoid single-vendor blast-radius failures.

⸻

05:00 - Cisco ISE – CVE-2025-20337 (Root-Level RCE via Undocumented API)

• Amazon’s threat intelligence team discovered in-the-wild exploitation of an undocumented ISE API endpoint.

• This CVSS 10.0 vulnerability allows deserialization attacks leading to unauthenticated root-level access.

• Attackers deploy an advanced, stealthy web-shell (“IdentityAuditAction”) featuring:

– In-memory execution

– Java reflection thread injection

– Custom DES-encrypted C2

– No disk artifacts

• Exploitation activity dates back to at least May and may be earlier.

• Mitigation requires updating to patched ISE versions, segmenting management networks, monitoring unexpected listeners, and tightening inbound firewall policies.

• John and Lou reiterate that identity remains the “universal attack surface,” and poor segmentation continues to amplify enterprise risk.

⸻

09:26 - Listener Feedback

A viewer asked whether the F5 BIG-IP source code leak affects only the management plane or the data plane.

Answer: Both. Because the entire codebase was leaked, any subsystem could harbor latent zero-day attack surfaces—further stressing the importance of aggressive patching and hardened segmentation.

⸻

10:28 - Wrap Up

We appreciate every question, comment, and suggestion. Keep them coming.

IT SPARC Cast

@ITSPARCCast on X

https://www.linkedin.com/company/sparc-sales/ on LinkedIn

John Barger

@john_Video on X

https://www.linkedin.com/in/johnbarger/ on LinkedIn

Lou Schmidt

@loudoggeek on X

https://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn

Hosted on Acast. See acast.com/privacy for more information.