Cisco ASA (CVE-2025-20333) (CVSS: 9.9) (CVE-2025-20362) (CVSS: 6.5)

 Patch asap.

https://software.cisco.com/download/home/286285782/type/280775065/release/9.16.4%20Interim

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote a

https://x.com/TheHackersNews/status/1971278285138268395?t=zA5NXTNfTvuWF557wLLXGw&s

Cisco ASA fixed version 9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3

CVE-2025-20333

https://www.tenable.com/blog/cve-2025-20333-cve-2025-20362-faq-cisco-asa-ftd-zero-days-uat4356

CVE-2025-20333, CVE-2025-20362: Cisco Zero-Days Exploited | Tenable®

Cisco patched two zero-days in ASA and FTD, CVE-2025-20333, CVE-2025-20362, that were exploited by the same threat actor behind the ArcaneDoor campaign, UAT4356

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firew

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote a

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Cisco Event Response: Continued Attacks Against Cisco Firewalls

Home / Cisco Security Cisco Event Response: Continued Attacks Against Cisco Firewalls Version 1: September 25, 2025 Summary In May 2025, Cisco was engaged by multiple government agencies that provide

https://thecyberexpress.com/cisa-warns-of-cve-2025-20333/

CISA Warns Of CVE-2025-20333 In Cisco ASA Devices

CISA issues Directive 25-03 to address CVE-2025-20333 and related Cisco ASA threats, urging agencies to patch systems and mitigate active exploitation.

https://www.darkreading.com/vulnerabilities-threats/cisco-actively-exploited-zero-day-bugs-firewalls-ios

Bugs Targets Firewalls, IOS

Patch now: Cisco recently disclosed four zero-days, including three targeted by a nation-state actor previously behind the "ArcaneDoor" campaign.

https://www.cisa.gov/news-events/alerts/2025/09/25/cisa-directs-federal-agencies-identify-and-mitigate-potential-compromise-cisco-devices

Cisco ASA (CVE-2025-20333) (CVSS: 9.9) (CVE-2025-20362) (CVSS: 6.5)

Open Source Firewall

- **pfSense**

  - Latest version: 2.8.1

  - Release date: September 3, 2025

  - Key features: Traffic shaping, IDS, firewall, load balancing, web management, high stability

- **OPNsense**

  - Latest version: 25.7.2

  - Release date: August 20, 2025

  - Key features: Transparent proxy, IDS/IPS (Suricata), SSL VPN, weekly security patches, REST API, cloud/VM support

- **IPFire**

  - Latest version: 2.29 Core Update 197

  - Release date: September 18, 2025

  - Key features: Deep packet inspection, traffic reporting, DoS protection, VLAN support, technical team friendly

- **ClearOS**

  - Latest community version: 7.9.1 (no newer versions on main site, active as of 2024)

  - Latest activity: October 16, 2024

  - Key features: Simple UI, SMB/home focus, VPN, proxy, mail, IDS, etc.

- **Endian Firewall**

  - Latest version: 6.8.0

  - Release date: April 23, 2025

  - Key features: IDS/IPS, VPN, multi-uplink, content filtering, hardware and virtualized deployment support

- **IPCop**

  - Latest version: 2.1.9 (project is largely inactive, last update around 2015)

  - Release date: ~2015

  - Key features: Basic firewall, VPN, traffic shaping, more instructional/testing use

- **Untangle (Arista NG Firewall)**

  - Latest version: 17.3.0

  - Release date: May 2025

  - Key features: IDS/IPS, unified threat management, web filtering, threat prevention, virtual/cloud deployments supported

Open Source Firewall

美国（CVE）中国（CNVD / CNNVD / CICSVD）欧洲（EUVD）

特性	美国（CVE）
核心组织	MITRE Corporation（管理）
英文名称	Common Vulnerabilities and Exposures
成立时间	1999年
主要功能	唯一标识已知安全漏洞（标准化编号）
覆盖范围	全球，面向所有ICT产品与服务
重点产品/领域	所有类型软硬件产品（通用）
编号机制	使用独立CVE编号（CVE-YYYY-XXXXX）
与CVE关系	核心标准
运营模式	非营利、公开协作（MITRE主导）
特色/优势	全球通用标准，被广泛引用

特性	中国（CNVD / CNNVD / CICSVD）
核心组织	CNVD：CNCERT（国家互联网应急中心）
	CNNVD：CNITSEC（中国信息安全测评中心）
	CICSVD：CICS-CERT（国家工信安全中心）
英文名称	China National Vulnerability Database
	China National Vulnerability Database (CNNVD)
	China Industrial Control System Vulnerability Database (CICSVD)
成立时间	CNVD：2004年
	CNNVD：2007年
	CICSVD：2018年
主要功能	漏洞收集、通报、预警、技术支持与应急响应
覆盖范围	中国境内或由中国机构运营的系统与产品为主
重点产品/领域	通用IT系统、政府/关键基础设施、工业控制系统（CICSVD）
编号机制	使用CNVD编号（如CNVD-2025-XXXXX）或CNNVD编号（如CNNVD-2025-XXXXX）
与CVE关系	部分漏洞同步至CVE，但独立管理
运营模式	政府主导，国家级应急响应机制
特色/优势	本土响应迅速，政策联动强，覆盖工业控制

特性	欧洲（EUVD）
核心组织	ENISA（欧洲网络安全局）
英文名称	European Union Vulnerability Database (EUVD)
成立时间	2025年4月（正式发布）
主要功能	聚合、验证并发布欧盟范围内的网络安全漏洞信息
覆盖范围	欧盟境内ICT产品与服务，聚焦欧盟数字生态
重点产品/领域	IT产品、网络设备、云服务、关键基础设施、欧盟相关供应链
编号机制	使用EUVD自有ID（如EUVD-2025-XXXXX），仍保留CVE作为"替代ID"
与CVE关系	与CVE并行，引用CVE但不依赖其编号体系
运营模式	欧盟机构主导，公共平台，强调数字韧性与互操作性
特色/优势	强调漏洞利用状态分析、缓解措施建议，支持风险评估与事件响应

Reference:

CVE (Common Vulnerabilities and Exposures)：是一个国际公认的漏洞数据库，提供每个已知漏洞的标准化名称和描述。CVE 编号广泛用于漏洞跟踪和补丁管理。 

CNVD (China National Vulnerability Database)：中国国家信息安全漏洞共享平台，收集和发布与信息系统安全漏洞相关的信息。 CNCVE：可能指的是中国的一个漏洞数据库或标准，但根据搜索结果，没有找到具体的信息或定义。可能需要更多的上下文来确定确切的含义。 

CNNVD (China National Vulnerability Database of Information Security)：中国信息安全测评中心负责建设运维的国家信息安全漏洞库，提供信息安全漏洞的分析、验证、通报和修复消控工作。

https://zhuanlan.zhihu.com/p/575718368

https://bbs.sangfor.com.cn/forum.php?mod=viewthread&tid=288211

Https://www.cnblogs.com/Hardworking666/p/15866081.html 

Https://www.infoq.com/news/2025/06/cve-european-vulnerability-euvd/ 

美国（CVE）中国（CNVD / CNNVD / CICSVD）欧洲（EUVD）

TP-Link TL-WR1502X Travel Router firmware upgrade version 1.1.1

TP-Link TL-WR1502X Travel Router firmware upgrade version 1.1.1

How to resolve SSL error when access website which is using Hong Kong Post CA issued SSL cert?

When using Google Chrome to access, there are error message: "NET::ERR_CERT_AUTHORITY_INVALD"

Missing Cert on client machine:

Download:

https://www.digitalpolicy.gov.hk/en/our_work/digital_infrastructure/legal_framework/regulation/eto/doc/hk_post_root_3.zip

https://www.digitalpolicy.gov.hk/en/our_work/digital_infrastructure/legal_framework/regulation/eto/doc/hk_post_root_3_cross_signed_by_globalsign_car3.zip

https://www.digitalpolicy.gov.hk/en/our_work/digital_infrastructure/legal_framework/regulation/eto/doc/hk_post_e-cert_ssl_3-17.zip

You can use www.ssllab.com to check the website SSL cert's cert path to see any SSL cert is missing on your laptop.

Reference:

有關郵政署署長的披露紀錄-頁1 | 數字政策辦公室

How to resolve SSL error when access website which is using Hong Kong Post CA issued SSL cert?

Cisco ISR 4431 firmware upgrade from 17.03.04a to 17.09.07a

You can upgrade from 17.03.04a to 17.09.07a directly

The upgrade will take about 30 mins.

#1 Copy the image to the router and backup the config

#####USB#####

copy usb0:isr4400-universalk9.17.09.07a.SPA.bin bootflash:

copy system:running-config usb0:

####TFTP####

copy tftp:<ip>/isr4400-universalk9.17.09.07a.SPA.bin bootflash:

copy system:running-config tftp:<ip>

####FTP####

copy ftp://<username>:<password>@<location/directory> bootflash:

copy system:running-config ftp://<username>:<password>@<location/directory>

#Example

copy ftp://admin:123456@10.10.10.1/root bootflash:isr4400-universalk9.17.09.07a.SPA.bin

#2 Verify IOS checksum

FileName :  isr4400-universalk9.17.09.07a.SPA.bin

MD5 Checksum :    528c1c9424508bb5748217191a51012c

verify /md5 bootflash:isr4400-universalk9.17.09.07a.SPA.bin

#3 Verify the status of router

ter len 0

Sh clock

Show ip int brief

Show int des

Show ip ospf nei

Show ip arp

Show ver

Show cdp nei

Show run

show ip ospf neighbor

show crypto isa sa

show crypto sess brief

Sh ip route sum

Sh int trunk

Sh interface

Sh proc cpu his

sh inv

Sh environment all

sh license usage

sh license summary

sh license all

sh platform

sh platform hardware throughput crypto

sh platform hardware throughput level

Sh inter transceiver

Sh mac-add

Sh stand b

ter len 24

wr mem

#4a Upgrade the router

config t

no boot system

boot system flash bootflash:isr4400-universalk9.17.09.07a.SPA.bin

end

wr mem

#4b Verify the next bootfile of router

show boot

#Ensure it show your target IOS

#BOOT variable = bootflash:/<image.bin>,12;

reload

y

#4c *After reload* Verify the Version of router

show version

#5 Delete the old image

delete bootflash:<image.bin>

#6 Compare the configuration before and after upgrade software and verify the status of router

ter len 0

Sh clock

Show ip int brief

Show int des

Show ip ospf nei

Show ip arp

Show ver

Show cdp nei

Show run

show ip ospf neighbor

show crypto isa sa

show crypto sess brief

Sh ip route sum

Sh int trunk

Sh interface

Sh proc cpu his

sh inv

Sh environment all

sh license usage

sh license summary

sh license all

sh platform

sh platform hardware throughput crypto

sh platform hardware throughput level

Sh inter transceiver

Sh mac-add

Sh stand b

ter len 24

wr mem

Cisco ISR 4431 firmware upgrade from 17.03.04a to 17.09.07a