Roughly 48,800 internet-exposed Cisco ASA and FTD firewalls remain vulnerable to two actively exploited zero-day flaws (CVE-2025-20333 and CVE-2025-20362), despite warnings and patches being issued as of September 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by issuing Emergency Directive 25-03, mandating all federal civilian agencies to inventory affected devices, perform forensic analysis, and patch or isolate compromised systems by very tight deadlines. The vulnerabilities allow remote code execution and unauthorized access, and threat actors have demonstrated firmware persistence techniques to survive reboots and upgrades. Security firms tie the campaign to the ArcaneDoor (aka Storm-1849 / UAT4356) espionage group, with possible state backing and a history of targeting perimeter devices. Cisco alongside global cybersecurity agencies (like the UK’s NCSC) have urged immediate remediation and outlined that no viable workaround exists.
Sources: Bleeping Computer, TechRadar
Key Takeaways
– These vulnerabilities permit either remote code execution with valid VPN credentials (CVE-2025-20333) or unauthenticated access to restricted VPN endpoints (CVE-2025-20362), and the two can be chained together.
– The threat actors have demonstrated advanced persistence via modifications to read-only memory (ROM), enabling malicious payloads to survive reboots and upgrades.
– CISA’s Emergency Directive 25-03 forces federal agencies to act within hours, making this a high-stakes situation; organizations outside government are also strongly urged in industry advisories to treat the risk seriously.
In-Depth
In late September 2025, Cisco publicly acknowledged that two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) products—CVE-2025-20333 and CVE-2025-20362—were being actively exploited in the wild. The first vulnerability, CVE-2025-20333, is a remote code execution flaw that requires valid VPN credentials. An attacker who controls that channel can craft HTTP(S) requests to execute arbitrary code as root on the affected system. Cisco rates the severity at 9.9 (critical). The second, CVE-2025-20362, is a missing authorization issue that allows access to restricted web endpoints without authentication. Together, the two can be chained to overcome credential barriers and fully compromise a firewall. Cisco has confirmed evidence of exploitation using both.
The urgency is heightened by the stealth of the attacks. Adversaries have reportedly modified the firmware or bootloader (ROM) of compromised devices so that their presence persists across reboots and software upgrades. Indicators of compromise include disabled logging, suppression of CLI commands, and intentional crashing of devices to thwart detection. Cisco’s Event Response team and external researchers believe the attacker used both vulnerabilities in the current campaign.
In response, CISA issued Emergency Directive 25-03, compelling all federal civilian agencies to locate every ASA and Firepower device in their networks, collect memory dumps and forensic data, and patch or disconnect vulnerable units by a hard deadline (reports suggest by September 26 or shortly after). The vulnerabilities were simultaneously added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, increasing regulatory pressure. Though the directive formally applies to the U.S. federal civilian sphere, many security vendors and national agencies have warned private and critical infrastructure operators to heed the same mitigation guidance.
The threat actor behind these exploits is believed to be ArcaneDoor (also tracked as UAT4356 or Storm-1849). This group has been tied to prior espionage campaigns targeting Cisco devices, dating back to early 2024, and analysts from firms such as Palo Alto’s Unit 42 have linked this latest campaign as a resurgence or continuation of earlier intrusion activity. Some threat intelligence firms suggest connections to state-affiliated cyber operations, with certain scans and infrastructure overlap pointing toward Chinese networks (though attribution remains non-public and unconfirmed).
From a defense standpoint, the situation is grave because no effective mitigations short of applying patches or disabling vulnerable features exist. Cisco itself states that there is no workaround that fully removes the risk. System administrators are urged to follow Cisco’s patch guidance precisely, reimage or replace compromised hardware, monitor for anomalous traffic, and tighten exposure of VPN/web interfaces. In many cases, legacy or end-of-life devices must be removed entirely.
Because perimeter firewalls like ASA and FTD are central to network defenses, compromising them opens the door to full network infiltration: attackers may intercept or redirect traffic, plant lateral footholds, and exfiltrate sensitive data undetected. Given how long adversaries may have been probing or operating (some reconnaissance activity dates back to late 2024), organizations should assume compromise is possible until proven otherwise. The speed of response matters: once patches or vulnerability details are public, adversaries often escalate attack volume. The window is narrow, and in this case, the pressure is real.