Skip to main content

The Vilkas Wire

Legacy Firewalls, Modern Bootkits: Lessons from the Cisco VPN Zero-Days

Sep 30, 2025 · By Ben Rollin

Defender Tips
Abstract of VPN hack

In September 2025, Cisco disclosed a set of critical zero-day vulnerabilities in its firewall platforms, including the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). These devices are the front line of enterprise networks, making the news particularly serious. Within hours, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to patch, isolate, or even disconnect affected firewalls within 24 hours.

At the core were two vulnerabilities in the remote access gateway that, when combined, enabled attackers to gain complete remote control of these devices. Cisco also addressed an additional flaw affecting multiple software families.


Why this matters for leaders

This is not a routine patch cycle. It is a real-world demonstration of what happens when aging infrastructure, unsupported hardware, and determined attackers collide. Firewalls are designed to protect businesses. When they become points of compromise, every system behind them is put at risk.

The campaign exploited many older Cisco 5500-X firewalls that are well past their support window. Unlike current-generation models, these lack modern safeguards designed to prevent tampering at a foundational level. Once compromised, attackers could dig deep enough into the device’s firmware to survive restarts, upgrades, and basic recovery efforts.

The message is blunt: equipment that lingers beyond its support lifecycle is no longer just inefficient; it becomes a business liability and a risk to continuity of operations.


Attacker tactics that raise concern

Attackers didn’t just break in. They installed persistence tools that essentially rewrote the device’s startup environment and hid their activity from IT teams. In practice, this gave them the ability to intercept administrator commands, erase logging records, bypass security controls, and delay system reboots to obstruct investigations.

This development builds on earlier global campaigns from 2023 to 2024, but with a significant escalation: the security technology itself has become untrustworthy. Logs could no longer be trusted to reflect reality, leaving organizations blind precisely where they rely most on visibility.


Global response and government alignment

CISA’s emergency directive made clear the urgency of this situation: organizations were instructed to locate every Cisco ASA and FTD device, apply Cisco’s patches immediately, gather forensic evidence, and disconnect unsupported models outright. Agencies in the UK, Canada, and Australia issued matching alerts, demonstrating that governments worldwide view this as a national security–level issue, not just an IT problem.

This coordinated response reflects a shift in thinking. Perimeter devices such as firewalls, VPN gateways, and remote access platforms are now top-tier targets for state-sponsored adversaries. Decision makers should treat them with the same level of scrutiny previously reserved for core enterprise systems.


Questions every executive should ask now

Leaders should not delegate this entirely to IT. Executives should be pressing for clear answers on the following questions:

  1. Where are our Cisco firewalls and VPN gateways, and which are out of support?
  2. How do we know those devices have not already been compromised?
  3. What methods do we have in place to detect tampering if the device itself conceals it?

  • Direct IT teams to apply Cisco’s emergency patches to every supported device without delay.
  • Mandate a formal plan to retire or replace unsupported appliances, beginning with end-of-life 5500-X models.
  • Require immediate rotation of VPN credentials and a cleanup of unused accounts.
  • Instruct that administrative access be restricted solely to trusted internal networks.
  • Ensure there is independent monitoring (such as external packet capture or flow analytics) so the business can validate what is happening, even if device logs cannot be trusted.
  • Instruct IT department heads to conduct regular review meetings with all infrastructure vendors to ensure a comprehensive understanding of ALL End of Life and End of Support dates. Doing so will ensure the business stays well ahead of these dates, holding hardware refresh design and planning meetings far in advance to avoid last-minute scrambles or running out-of-support hardware.

Beyond patching: assurance through testing

While patching is urgent, it does not guarantee that attackers are gone. Leaders should request a targeted penetration test explicitly focused on the organization’s firewall perimeter. Such testing validates whether backdoors remain, checks credential and account hygiene, and measures how well monitoring and response processes work when an attacker actively hides their tracks.


The broader lesson for boards and executives

Attackers are now investing heavily in compromising the very devices that businesses trust to protect them. Legacy hardware cannot keep up with this threat environment. Leaders need to think of firewall and remote access appliances not as static infrastructure but as active risk surfaces that must be tested, monitored, and refreshed on a defined lifecycle.

The reality is this: if the first line of defense can be turned against you, everything behind it is at stake. Boards and executives must treat perimeter security decisions as business-critical, not just technical housekeeping.


How penetration testing ties in

Patching is necessary, but it is not sufficient. You cannot assume that fixes worked or that devices are not compromised. A targeted penetration test can validate the things patches cannot guarantee:

  • Whether your VPN gateways still expose unintended access paths
  • If persistence mechanisms could still survive and operate undetected
  • Whether credential hygiene on VPN accounts is solid
  • How your detection and response processes behave when an attacker suppresses logs or tampers with configurations

The lesson from these zero-days is simple. Attackers will adapt more quickly than legacy hardware can defend against. Testing your perimeter as if it is already hostile is the only way to build confidence that your defenses hold up.


Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones. Fill out the form and we'll get back to you shortly.

Loading form…