Pretty vulnerable, its difficult for them not to be, even proftpd can be hacked pretty easily and its supposed to be one of the tougher ones to hack.......took one google search and 2 clicks to get the source code to crack the proftpd I run sometimes.
all it takes is some tcp/ip knowledge, good C programming skills, and knowing the RFC's..........any program which accepts input like an ftp daemon can usually be forced open with buffer overflows or by sending specially crafted packets which it isnt ready for
this is why places that provide these services take steps like putting the daemons in a chroot jail so if they get hacked the hacker doesnt get any further than the directory the daemon is running in and then doesnt have any tools to work with.......if he even has a shell to work with
most security on computers today is like a piece of candy, hard and crunchy on the outside, but soft and mushy on the inside........you get thru the initial outer layer and after that its easy
The toughest job when hacking networks is mapping them out, and finding out all the info about what services are running and on what kind of box........once you know that it gets pretty easy. This is why its very important to disable daemons that identify themselves by OS and and program release number when pinged........you ping an ftp for example and it comes up "warftpd 1.65" and you might as well write it off cause its a done deal, thats asking to get owned. WindowsXp running most freely available ftp services take like 5 seconds to hack into and get root. Once youve got root on a windows box its game over, windows has zero internal protection.
Depending on what ftp is running on that cisco it may be easy, it may be hard. Cisco's source code isnt freely available but their hardware is well known enough for most of the reverse engineering to be easy acquired these days. If it isnt setup this way already, disable the greeting message that idenitifes its release # and OS its runs on if it volunteers that when someone tries to log on. At least that will make it into a trial and error situation and most crackers would rather try something else unless its a grudge.