The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive, ordering federal agencies to immediately identify and mitigate potential compromises of Cisco firewall devices following the discovery of active exploitation of two critical zero-day vulnerabilities.
The vulnerabilities, CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5), affect Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. Attackers are chaining these flaws to bypass authentication and execute malicious code on vulnerable devices configured as VPN endpoints.
Sophisticated Persistence Mechanism
What makes this campaign particularly concerning is the threat actor's ability to manipulate read-only memory (ROM) to maintain persistence through system reboots and software upgrades—a technique rarely seen in the wild. "This threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024," CISA warned.
The attacks are attributed to the ArcaneDoor group (also known as UAT4356/Storm-1849), which has previously targeted perimeter network devices from multiple vendors. Intelligence agencies from Australia, Canada, the UK, and the U.S. have collaborated on investigating this campaign.
The threat actors have implemented sophisticated evasion techniques, including:
- Suppressing specific syslog messages (302013, 302014, 609002, 710005) to avoid detection
- Disabling the checkheaps function that normally runs every 60 seconds
- Using stolen credentials for "impossible travel" VPN connections across geographically distant U.S. locations
Federal agencies must submit core dumps for analysis by September 26, 2025, and apply patches within 24 hours. Devices that cannot be updated must be permanently disconnected by the end of September.
Only specific Cisco ASA 5500-X series models running software releases 9.12 or 9.14 with VPN web services enabled have been confirmed compromised, but the vulnerability affects a broader range of devices.
Part of Broader Cisco Security Crisis
This emergency follows yesterday's disclosure of another actively exploited Cisco zero-day, CVE-2025-20352 (CVSS 7.7), affecting IOS and IOS XE software. That vulnerability, stemming from a stack-based buffer overflow in the SNMP subsystem, potentially impacts millions of network devices and allows attackers to crash systems or achieve root-level code execution through specially crafted SNMP packets.
The back-to-back zero-day disclosures highlight an escalating threat landscape targeting Cisco's network infrastructure, emphasizing the critical need for organizations to immediately inventory their Cisco devices, apply available patches, and monitor for the detection indicators outlined in Cisco's advisories.