Nearly 50,000 Cisco firewall devices with recently disclosed vulnerabilities are connected to the internet, according to new data.
Statistics from the Shadowserver Foundation illustrate the extent of the world’s exposure to the three flaws in Cisco’s Adaptive Security Appliance devices and Firepower Threat Defense devices, which earned a rare emergency patching directive from the Cybersecurity and Infrastructure Security Agency (CISA) after the Sept. 25 disclosure.
The United States has by far the most devices that have not been patched to block exploitation of the flaws, with Shadowserver tallying more than 19,000 vulnerable U.S. devices. The U.K. ranks second, with more than 2,700 vulnerable devices, followed by Japan, Germany and Russia. Other European countries have fewer than 1,000 vulnerable devices each.
Shadowserver’s records will reveal how quickly different countries are reducing their exposure as the organization continues collecting data in the coming days and weeks.
A sophisticated threat actor has been using two of the new Cisco flaws, CVE-2025-20362 and CVE-2025-20333, in a stealthy cyberattack campaign that has breached multiple federal agencies and other organizations worldwide. Both vulnerabilities involve improper validation of HTTPS requests, which could allow Cisco firewalls to accept malicious requests that bypass authentication. CVE-2025-20362 could allow hackers to access restricted VPN-related URLs, while CVE-2025-20333 could let intruders run arbitrary code as root.
Federal agencies have until the end of Thursday to confirm to CISA that they have patched or otherwise mitigated the vulnerabilities.
