50,000 Cisco Firewalls Exposed - Cybersecurity Today

Cybersecurity Today – Episode: "50,000 Cisco Firewalls Exposed"

Host: Jim Love
Date: October 1, 2025

Episode Overview

This episode focuses on critical new cybersecurity threats affecting businesses and organizations worldwide. Host Jim Love walks listeners through three urgent vulnerabilities: exposed Cisco firewalls, a dangerous sudo flaw impacting Linux, and severe remote command weaknesses in Western Digital My Cloud devices. He concludes with a warning about rapid advances in AI voice cloning, underscoring the escalating risks for fraud and social engineering. Actionable advice is delivered throughout, targeting both technical and general listeners.

Key Discussion Points & Insights

1. Widespread Exposure of Cisco Firewalls

[00:12]

Scope of Exposure: Nearly 50,000 Cisco firewalls (ASA and Firepower Threat Defense devices) remain exposed to the Internet through two major vulnerabilities:
- CVE2025-2333: CVSS 9.9 (critical)
- CVE2025-2362: CVSS 6.5 (high)
Affected Models: Many vulnerable units are older 5500x series firewalls, at or nearing end of life.
Affected Regions: The majority of affected systems are in the United States.
Urgent Government Action: National security agencies from the US, Canada, France, Netherlands, and the UK have issued urgent warnings. The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies patch within 24 hours.
Attacker Behavior: Tactics resemble last year’s Artain Door campaign, featuring:
- The Ray Initiator bootkit for persistence
- The Line Viper loader for additional malicious activity.
Security Guidance:

“If you can’t patch, replace.”
(Jim Love, [00:38])

2. Critical Sudo Vulnerability in Linux/Unix

[01:01]

Vulnerability Details:
- CVE 2020-532463 (CVSS 9.3) affects sudo versions before 1.9.17p1.
- Allows local attackers to exploit Schrute handling and execute arbitrary commands as root, even if not authorized in sudoers.
Current Status:
- The exploit is now active in the wild.
- Researchers disclosed it earlier this year.
- CISA added it to the known exploited vulnerabilities list.
- Federal agencies have received an urgent mitigation window.
Remediation:

"Everyone running Linux or Unix servers with older sudo must update to 1.9.17 P1 or later immediately."
(Jim Love, [01:28])

3. Remote Command Injection in Western Digital My Cloud Devices

[01:45]

Vulnerability Details:
- CVE 2020530247 (CVSS 9.8) allows attack via HTTP POST to the device web interface.
Firmware Updates:
- Firmware version 5.31.108 (released September 23) fixes supported models.
- Patch applies to PR2100, PR4100, EX4100, EX2 Ultra, Mirror Gen2, and others.
End-of-Support Risk:
- Some versions (DL2100, DL4100) are no longer supported and will not be patched.
Threat Implications:
- Unpatched devices are attractive targets for data theft, ransomware, or botnets because they run unattended.
Security Guidance:

"If you run My Cloud hardware, take a look, update it now or take it off the network until you can replace it."
(Jim Love, [02:14])

4. Real-Time AI Voice Cloning Escalates Vishing

[02:36]

New Development:
- Researchers have demonstrated real-time, responsive AI voice cloning that can convincingly simulate someone's voice during live calls — advancing "vishing" beyond old-school prerecorded attacks.
- The tool is currently kept private by its creators, but the threat is imminent.
Ease of Abuse:

"With only minutes of audio and a few hours of training, attackers can create calls that sound convincing enough to trick accountants, receptionists, or perhaps even family members."
(Jim Love, [02:52])
Mitigation Strategies:
- If your organization authorizes payments or access by phone:
  - Require written confirmation, dual approvals, or pre-agreed secret words
  - For family situations, establish verification phrases with relatives, especially elders
  - Never send money or credentials because of an unexpected call
Call to Action:

"If you don't already have these protections in accounting or high-risk roles, why not walk down there today and set them up?"
(Jim Love, [03:17])
"There's never been a piece of technology this powerful that wasn't weaponized. So let's take this as a given and let's take this as a bit of a fair warning and get on it today."
(Jim Love, [03:27])

Notable Quotes

"If you can’t patch, replace."
(Jim Love on end-of-life Cisco firewalls, [00:38])
"Everyone running Linux or Unix servers with older sudo must update to 1.9.17 P1 or later immediately."
(Jim Love, [01:28])
"If you run My Cloud hardware, take a look, update it now or take it off the network until you can replace it."
(Jim Love, [02:14])
"With only minutes of audio and a few hours of training, attackers can create calls that sound convincing enough to trick accountants, receptionists, or perhaps even family members."
(Jim Love, [02:52])
"There's never been a piece of technology this powerful that wasn't weaponized. So let's take this as a given and let's take this as a bit of a fair warning and get on it today."
(Jim Love, [03:27])

Timestamps for Important Segments

[00:12] – Cisco Firewall Vulnerabilities Overview
[01:01] – Critical Sudo Vulnerability on Linux/Unix Systems
[01:45] – Western Digital My Cloud Command Injection Flaw
[02:36] – Real-Time AI Voice Cloning as Next-Gen Social Engineering
[03:27] – Final Call to Action and Precautions

Summary

In this concise, actionable briefing, Jim Love alerts listeners to immediate and severe threats: thousands of Cisco firewalls exposed worldwide, a must-patch sudo bug in Linux, unprotected Western Digital storage devices, and the dawning age of real-time AI-powered vishing. The advice is clear: patch, isolate, or replace vulnerable systems; aggressively adopt strong verification and dual-authorization workflows for sensitive communications; and never underestimate how quickly new technologies can be turned against individuals and organizations. This episode is a succinct, vital update for anyone responsible for the security of networks, data, or people.

Transcript

A (0:00)

50,000 Cisco firewalls remain exposed as advanced attackers exploit new flaws, CISA warns A critical pseudo flaw lets attackers gain root on Linux Western Digital My cloud devices are hit by a critical remote command flaw and real time AI voice cloning takes vishing to the next level. This is Cybersecurity today. I'm your host Jim Love. Nearly 50,000 Cisco firewalls remain exposed to the Internet through two serious vulnerabilities, CVE2025 2333 with a CVSS score of 9.9 and CVE2025 2362 with a CVSS score of 6.5, affecting the Cisco ASA and Firepower Threat Defense devices. Shadow server scanning shows the bulk of vulnerable systems are in the United States, and national security agencies from the U.S. canada, France, Netherlands and the UK have issued urgent warnings. The U.S. cybersecurity and Infrastructure Security Agency ordered federal agencies to patch within 24 hours. Attackers appear to be reusing tactics used in last year's Artain Door campaign, deploying a bootkit called Ray Initiator for persistence and a loader dubbed Line Viper for follow on Activity. Many at risk devices are older 5500x series firewalls that are at or near end of life, and agencies are blunt if you can't patch, replace the U.S. cybersecurity and Infrastructure Security Agency has added a critical pseudo vulnerability to its known exploited vulnerabilities list, tracked as CVE 2020532463 with a CVSS score of 9.3. It affects sudo versions before 1.9.17 P1 and allows a local attacker to abuse the Schrute handling to execute arbitrary commands as root even if they're not authorized in Sudoerse. Researchers disclosed the bug earlier this year and it is now being actively exploited. CISA has given Federal Agenc an urgent mitigation window. Everyone running Linux or Unix servers with older sudo must update to 1.9.17 P1 or later immediately. Western Digital patched a critical remote command injection vulnerability in many my cloud models, CVE 2020530247 with a CVSS score of 9.8, which can be triggered via the device web interface with a crafted HTTP post. Firmware 5.31.108, released September 23, fixes the issue for supported models including PR2100, PR4100, EX4100, EX2, Ultra Mirror, Gen2, and others. Crucially, some models such as the DL2100 and the DL4100 are are end of support and will not receive patches. These NAS devices often run unattended for years. When they reach the end of support, they become long running liabilities that attackers can reliably target for data theft, ransomware or botnet recruitment. So if you run my cloud hardware, take a look, update it now or take it off the network until you can replace it. Researchers have demonstrated real time AI voice cloning that produces a live, responsive cloned voice during a phone call, turning vishy from a pre recorded impersonation into a real time social engineering risk. The team that developed this kept their framework private to avoid abuse, but they warned that if criminal groups don't already have this capability, they almost certainly will soon. With only minutes of audio and a few hours of training, attackers can create calls that sound convincing enough to trick accountants, receptionists, or perhaps even family members. If your organization relies on phone authorizations for payments or any other type of access, put stricter controls in place today. Require written confirmations, dual approvals, or pre agreed secret words. And for families, agree on a verification phrase with relatives and elders. Never send money or share credentials because of an unexpected call. If you don't already have these protections in accounting or high risk roles, why not walk down there today and set them up? There's never been a piece of technology this powerful that wasn't weaponized. So let's take this as a given and let's take this as a bit of a fair warning and get on it today. That's our show for today. You can reach me with tips, comments and even some constructive criticism at the Tech Newsday contact page. You can find that@technewsday.com or cat I'm your host Jim Love. Thanks for listening.