Despite repeated warnings, a large number of Cisco ASA and FTD (Firepower Threat Defense) firewalls remain vulnerable to critical flaws even as threat actors claim a breach of Red Hat’s GitLab instance. This dual threat vector highlights how persistent misconfiguration and supply-chain risk combine to weaken enterprise defenses.
Persistent Cisco ASA Vulnerabilities
Cisco recently published security advisories for CVE-2025-20333 and CVE-2025-20362, two vulnerabilities impacting the VPN web server component of its ASA/FTD platforms. These flaws allow unauthenticated remote code execution and authorization bypass in certain contexts.
Shadowserver scans still detect nearly 49,000 exposed ASA/FTD devices unpatched globally, despite Cisco’s push for immediate firmware updates. Several security sources, including BleepingComputer, have warned of active scanning and exploit attempts across these devices.
Organizations using ASA/FTD devices must not only patch, but verify integrity post-upgrade. Cisco further recommends resetting devices to factory defaults, reconfiguring, and rotating passwords and keys to remove residual compromise.
Red Hat GitLab Breach Claims & Confirmation
In parallel, threat actors associated with Crimson Collective claimed they breached Red Hat’s GitLab instance and exfiltrated 570 GB across more than 28,000 internal repositories, including 800 Customer Engagement Reports (CERs).
Red Hat officially confirmed a security incident tied to a self-managed GitLab instance used for consulting services, stating that they isolated the breach, removed unauthorized access, and initiated containment steps. They denied that the breach affected their product supply chain or other services.
Security analysts and advisory bodies warned that CERs potentially contain customer infrastructure details, tokens, keys, and network configurations all of which could be weaponized by attackers against Red Hat’s customers.
Firewalls & Supply-Chain Threats
These two concurrent risks exposed firewalls and breached supply-chain assets form a dangerous synergy. If attackers exploit an unpatched ASA device as a pivot point, they may use stolen Red Hat CER data to map internal networks of target organizations. Conversely, a customer environment compromised via CER data could use those mapping insights to penetrate adjacent infrastructure.
Architecturally, the situation demands defense-in-depth across network, device, and supply-chain layers. Today’s threats no longer obey domain boundaries.
Recommended Defensive Actions
-
Patch ASA/FTD devices immediately apply Cisco’s updates for CVE-2025-20333 and CVE-2025-20362.
-
Hard reset and reconfigure devices after patching. Replace credentials, regenerate certificates, and disable unnecessary services.
-
Audit firewall logs for signs of suspicious access, especially to VPN web interfaces.
-
In the Red Hat context, rotate all credentials and keys referenced in CERs and future deliverables.
-
Segment network access so firewall management plane is isolated and protected by MFA and limited IP ranges.
-
Perform threat modelling where firewall vulnerabilities and supply-chain data overlap.
-
Engage incident detection teams to correlate firewall exploit evidence with Red Hat breach indicators across your environment.
FAQs
Q: Are all Cisco ASA devices vulnerable?
A: No. The vulnerabilities affect devices running specific versions of ASA/FTD with VPN WebVPN enabled. However, many units remain unpatched globally.
Q: Was Red Hat’s entire business impacted?
A: No. Red Hat confirmed the breach was limited to a consulting GitLab instance and not to its core product or supply-chain operations.
Q: What data was stolen in the Red Hat breach?
A: Reportedly, consultant repositories and infrastructure reports (CERs) containing client network configurations and internal artifacts.
Q: Can attackers combine the threats?
A: Yes. Exposed firewalls can serve as pivot points, while stolen CERs may guide attacker reconnaissance in target environments.
Q: What is the urgent priority?
A: Patch firewall vulnerabilities and rotate keys/credentials from exposed Red Hat deliverables first. Then conduct cross-correlation and threat hunting.
One thought on “Cisco Firewalls at Risk as Red Hat Reports GitLab Security Incident”