Attackers target SIP flaws in Cisco firewalls to overload devices
There are no patches or workarounds available for two software bugs found last week
Malicious actors are exploiting a Session Initiation Protocol-related (SIP) vulnerability in two Cisco products to trigger high CPU usage and take a system offline.
SIP is a signalling protocol used to set up and maintain real-time sessions, such as audio or video calls, online. The flaws, which are the result of incorrect handling of SIP traffic, can be exploited by an attacker "sending SIP requests designed to specifically trigger this issue at a high rate", according to the networking giant.
If exploited correctly, it could cause an affected device to reload, or trigger high CPU usage, leading to a denial-of-service (DoS).
The bug has been found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) software running on a host of Cisco's physical and virtual appliances. These include the 3000 Series Industrial Security Appliance, Adaptive Security Virtual Appliance, and Firepower 9300 ASA Security Module.
The vulnerability is being exploited if the output of 'show conn port 5060' (where port 5060 on a router is normally reserved for SIP traffic) shows a large number of incomplete SIP connections, and CPU usage is high.
Users can determine whether their software is affected by running the 'show version' command on the UI, with the bug found in ASA version 9.4 or FTD version 6.0 and above.
Other affected appliances include ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower Series 2100 and 4100 Series Security Appliance, and FTD Virtual (FTDv).
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Cisco has said there are no patches available for the bug disclosed last week, nor any workarounds, with mitigation the only option for organisations affected. The company has set out four options for customers who may be under attack.
Disabling SIP inspection altogether will completely close the attack vector - but could break SIP connections. Blocking traffic from a specific IP address, presumed to be that of an attacker, meanwhile can be done using an access control list (ACL).
Users could also apply a filter on a 0.0.0.0 sent-by address since Cisco has seen offending traffic set to this invalid value, or implementing a rate limit on SIP traffic.
The networking giant's products and services are no stranger to abuse, with attackers previously exploiting a vulnerability in up to 168,000 unpatched IoT devices earlier this year to leave political messages.
Cisco first acknowledged the flaws through its Technical Services Advantage (TSA) technical support service, and says it will update its advisory should any patches be made available.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Databarracks expands business resilience services with Acumen acquisitionNews The deal brings more than 100 business continuity customers into Databarracks' managed resilience offering
-
AI projects are stalling at mid-market firms – Google Cloud and Accenture want to solve thatNews The new scheme aims to help mid-market companies move from pilot to production faster than ever before
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security