REWTERZ THREAT ADVISORY – CVE-2018-15454 – Cisco zero-day exploited to crash devices and cause Denial of Service

Friday, November 2, 2018

This is an advisory on a recent zero-day vulnerability of Cisco, that’s
being exploited in the wild to crash devices.





PUBLISH DATE: 02-11-2018




A zero-day vulnerability is found in the Session Initiation Protocol (SIP) inspection engine of Cisco’s ASA and TFD
software. The vendor released an advisory about the vulnerability being exploited in the wild. No software updates are available. However, Cisco has given out some mitigation guidelines.






A zero-day vulnerability has been found in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Exploiting the vulnerability, an unauthenticated, remote attacker can reload an affected device. The attacker can also cause a Denial of Service (DoS) condition by triggering high CPU.


Researchers found out that improper handling of SIP traffic causes the vulnerability. The vulnerability can be triggered by sending specially designed SIP requests to trigger this issue at a high rate across an affected device.
The vendor has released an advisory informing that the vulnerability has been exploited in the wild to crash and reload devices.


Because SIP inspection is enabled by default in all ASA and FTD software packages, a large number of Cisco devices are believed to be vulnerable.

No software updates are available that address this issue.






Cisco confirmed that the following products are affected if they run ASA 9.4 and later, or FTD 6.0 and later:

3000 Series Industrial Security Appliance (ISA)

ASA 5500-X Series Next-Generation Firewalls

ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Adaptive Security Virtual Appliance (ASAv)

Firepower 2100 Series Security Appliance

Firepower 4100 Series Security Appliance

Firepower 9300 ASA Security Module

FTD Virtual (FTDv)





Cisco suggests that device owners should take some precautions to avoid getting their equipment crashed. These
mitigation techniques involve the following measures.


• Device owners are advised to disable SIP inspection.

• Once device owners track and identify an attacker’s IP address, they should block traffic from that IP address
using the ASA and FTD traffic filtering systems.

• Cisco claims that the malicious traffic associated with these attacks until now has used the IP address for
the “Sent-by Address” field. Using this information, firms can easily filter an attacker’s incoming traffic.


If you think you are a victim of a cyber-attack. Immediately send an email to for a quick response

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 14, June 2019 Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners
  • 14, June 2019 Rewterz Threat Advisory – HP Service Manager Multiple Security Bypass Vulnerabilities
  • 14, June 2019 Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
  • 14, June 2019 Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Copyright © Rewterz. All rights reserved.