Cisco CVE Double Feature: ASA Firewall RCE + ISE Root Takeover (CVE-2025-20333, CVE-2025-20362, CVE-2025-20337) episode artwork

EPISODE · Nov 14, 2025 · 11 MIN

Cisco CVE Double Feature: ASA Firewall RCE + ISE Root Takeover (CVE-2025-20333, CVE-2025-20362, CVE-2025-20337)

from IT SPARC Cast

In this week’s IT SPARC Cast, John and Lou break down a Cisco security double feature—three critical vulnerabilities impacting Cisco ASA, Cisco Secure Firewall (FTD), and Cisco Identity Services Engine (ISE). These flaws include authentication bypass, chained remote code execution, and a CVSS 10.0 root-level compromise via an undocumented ISE API.We explain how CVE-2025-20333, CVE-2025-20362, and the newly revealed CVE-2025-20337 work, why federal agencies issued emergency patch directives, and what immediate mitigation steps enterprise defenders must take. If you manage Cisco firewalls or identity systems, this episode is mandatory listening.00:00 - Intro01:05 - CVEs of the Week – Cisco ASA & FTD (CVE-2025-20333 & CVE-2025-20362)• Two actively exploited Cisco firewall vulnerabilities enable authentication bypass and chained remote code execution.• Attackers linked to ArcaneDoor/Storm-1849 are using CVE-2025-20362 to bypass authentication, paired with CVE-2025-20333 for full RCE device takeover.• Compromised devices show unexpected reloads, disabled logs, and firmware persistence via ROMMON modification.• Over 50,000 ASA/FTD systems remain exposed, many still unpatched.• Emergency guidance from CISA and NCSC stresses immediate patching, disabling WebVPN/SSL, IP whitelisting, and checking for persistence or odd CLI behavior.• Lou and John emphasize the need for a multi-vendor firewall strategy to avoid single-vendor blast-radius failures.⸻05:00 - Cisco ISE – CVE-2025-20337 (Root-Level RCE via Undocumented API)• Amazon’s threat intelligence team discovered in-the-wild exploitation of an undocumented ISE API endpoint.• This CVSS 10.0 vulnerability allows deserialization attacks leading to unauthenticated root-level access.• Attackers deploy an advanced, stealthy web-shell (“IdentityAuditAction”) featuring:– In-memory execution– Java reflection thread injection– Custom DES-encrypted C2– No disk artifacts• Exploitation activity dates back to at least May and may be earlier.• Mitigation requires updating to patched ISE versions, segmenting management networks, monitoring unexpected listeners, and tightening inbound firewall policies.• John and Lou reiterate that identity remains the “universal attack surface,” and poor segmentation continues to amplify enterprise risk.⸻09:26 - Listener FeedbackA viewer asked whether the F5 BIG-IP source code leak affects only the management plane or the data plane.Answer: Both. Because the entire codebase was leaked, any subsystem could harbor latent zero-day attack surfaces—further stressing the importance of aggressive patching and hardened segmentation.⸻10:28 - Wrap UpWe appreciate every question, comment, and suggestion. Keep them coming.IT SPARC Cast@ITSPARCCast on Xhttps://www.linkedin.com/company/sparc-sales/ on LinkedInJohn Barger@john_Video on Xhttps://www.linkedin.com/in/johnbarger/ on LinkedInLou Schmidt@loudoggeek on Xhttps://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn Hosted on Acast. See acast.com/privacy for more information.

In this week’s IT SPARC Cast, John and Lou break down a Cisco security double feature—three critical vulnerabilities impacting Cisco ASA, Cisco Secure Firewall (FTD), and Cisco Identity Services Engine (ISE). These flaws include authentication bypass, chained remote code execution, and a CVSS 10.0 root-level compromise via an undocumented ISE API.We explain how CVE-2025-20333, CVE-2025-20362, and the newly revealed CVE-2025-20337 work, why federal agencies issued emergency patch directives, and what immediate mitigation steps enterprise defenders must take. If you manage Cisco firewalls or identity systems, this episode is mandatory listening.00:00 - Intro01:05 - CVEs of the Week – Cisco ASA & FTD (CVE-2025-20333 & CVE-2025-20362)• Two actively exploited Cisco firewall vulnerabilities enable authentication bypass and chained remote code execution.• Attackers linked to ArcaneDoor/Storm-1849 are using CVE-2025-20362 to bypass authentication, paired with CVE-2025-20333 for full RCE device takeover.• Compromised devices show unexpected reloads, disabled logs, and firmware persistence via ROMMON modification.• Over 50,000 ASA/FTD systems remain exposed, many still unpatched.• Emergency guidance from CISA and NCSC stresses immediate patching, disabling WebVPN/SSL, IP whitelisting, and checking for persistence or odd CLI behavior.• Lou and John emphasize the need for a multi-vendor firewall strategy to avoid single-vendor blast-radius failures.⸻05:00 - Cisco ISE – CVE-2025-20337 (Root-Level RCE via Undocumented API)• Amazon’s threat intelligence team discovered in-the-wild exploitation of an undocumented ISE API endpoint.• This CVSS 10.0 vulnerability allows deserialization attacks leading to unauthenticated root-level access.• Attackers deploy an advanced, stealthy web-shell (“IdentityAuditAction”) featuring:– In-memory execution– Java reflection thread injection– Custom DES-encrypted C2– No disk artifacts• Exploitation activity dates back to at least May and may be earlier.• Mitigation requires updating to patched ISE versions, segmenting management networks, monitoring unexpected listeners, and tightening inbound firewall policies.• John and Lou reiterate that identity remains the “universal attack surface,” and poor segmentation continues to amplify enterprise risk.⸻09:26 - Listener FeedbackA viewer asked whether the F5 BIG-IP source code leak affects only the management plane or the data plane.Answer: Both. Because the entire codebase was leaked, any subsystem could harbor latent zero-day attack surfaces—further stressing the importance of aggressive patching and hardened segmentation.⸻10:28 - Wrap UpWe appreciate every question, comment, and suggestion. Keep them coming.IT SPARC Cast@ITSPARCCast on Xhttps://www.linkedin.com/company/sparc-sales/ on LinkedInJohn Barger@john_Video on Xhttps://www.linkedin.com/in/johnbarger/ on LinkedInLou Schmidt@loudoggeek on Xhttps://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn Hosted on Acast. See acast.com/privacy for more information.

NOW PLAYING

Cisco CVE Double Feature: ASA Firewall RCE + ISE Root Takeover (CVE-2025-20333, CVE-2025-20362, CVE-2025-20337)

0:00 11:40

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Breaking News Show | eTurboNews Juergen Thomas Steinmetz News is relevant to the global travel and tourism industry, human rights and global issues.Breaking news when it happens and only from the source. LIGHTS, CAMERA, SMILE! Creatives Club Media Lights, Camera, Smile, is a podcast for anyone with a dream to share something with the world, out of the overflow of themselves - be it their mind, their heart, their personalities, and much more. Each of us are alive in this moment in time, with an innate ability to have ideas and create various things to benefit both ourselves and the people around us for a reason, and here, you will find the encouragement, the inspiration, and the motivation to do just that. Hosted by Cicily, founder of Creatives Club, she dives into various topics surrounding creativity and business. Exploring entrepreneurship for creatives in a corporate reality, sharing tips and tricks in a media centered company, answering questions regarding what a creative actually is are just a few of the things discussed on this podcast. Be encouraged to create for yourself as Cicily gets vulnerable by pivoting the camera to herself for the first time.To submit questions for Cicily to answer, or have her address certain t Invictus by Greyana, A Tomione Podfic M+G Readings Sporadic uploads thanks to gallstones.Voldemort intended the object to be used by his most loyal follower in the event that his horcruxes were destroyed, but it ended up in Hermione’s possession instead.It sent her back to a time when he was much less the monster that she’d always known him to be. Nothing could have prepared her for the intelligence and charm of Tom Riddle.He isn’t who she thought he was.Hermione discovers that it’s a dark descent into the madness of the man she should hate, but can’t… a descent she will never emerge fr The Course Mentors Podcast The Course Mentors Hey there, future course creator!Ever feel like turning your know-how into an online course is like trying to solve a Rubik's cube blindfolded? Well, grab your headphones because "The Course Mentors Podcast" is here to be your secret weapon!Meet Aimee and Odette (that's us!), your new best friends in the course creation world. We've been in the trenches for over a decade, and for the last five years, we've been rocking the online course space. Now we're here to spill all our secrets in bite-sized, 15-20 minute episodes that'll fit perfectly in your coffee breaks.No fluff, no filler - just real, actionable advice that'll take you from "um, what's a landing page?" to "holy moly, I just hit six figures!". We're talking everything from crafting your course to marketing it like a pro and building a business that'll have you pinching yourself.Whether you're dreaming of ditching the 9-to-5 grind, adding a sweet extra income str

Frequently Asked Questions

How long is this episode of IT SPARC Cast?

This episode is 11 minutes long.

When was this IT SPARC Cast episode published?

This episode was published on November 14, 2025.

What is this episode about?

In this week’s IT SPARC Cast, John and Lou break down a Cisco security double feature—three critical vulnerabilities impacting Cisco ASA, Cisco Secure Firewall (FTD), and Cisco Identity Services Engine (ISE). These flaws include authentication...

Can I download this IT SPARC Cast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!