Cisco ASA, FTD Devices Under Active Attack via Zero-Days CVE-2025-20333 & CVE-2025-20362

A newly disclosed wave of zero-day attacks is targeting Cisco firewall products, raising urgent concerns for network security teams. With CVE-2025-20333 and CVE-2025-20362 actively exploited to gain root-level access, implant malware, and achieve persistence even through firmware updates, the threat is significant.

In response to these active threats, CISA has issued an emergency directive to U.S. federal agencies, requiring immediate defensive actions; all organizations using Cisco Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software should take swift action.

What Are the CVEs Behind the Cisco Firewall Attacks?

Three vulnerabilities were disclosed by Cisco on September 25, 2025, with two of them already under active exploitation. These impact the Cisco Secure Firewall ASA and FTD software, widely deployed across enterprise and government networks.

CVE-2025-20333 (CVSS 9.9): Remote Code Execution via Web VPN

This critical vulnerability affects the VPN web server component of Cisco ASA and FTD software. Due to improper validation of user-supplied HTTP(S) input, an attacker with valid VPN credentials can craft malicious requests to trigger Remote Code Execution (RCE) as the root user.

Details of CVE-2025-20333 (SOCRadar Vulnerability Intelligence)

In the confirmed attacks, adversaries have used this flaw to implant malware, execute commands, and maintain control over the device even after a reboot. The risk is especially high for organizations using older 5500-X series models that lack Secure Boot features, making persistent infections more feasible.

CVE-2025-20362 (CVSS 6.5): Unauthorized Access to Restricted URLs

This medium-severity vulnerability also affects the VPN web server. It allows remote, unauthenticated attackers to bypass access controls and reach restricted URL endpoints that should require authentication.

Details of CVE-2025-20362 (SOCRadar Vulnerability Intelligence)

When chained with CVE-2025-20333, attackers can gain unauthenticated remote control of affected systems, drastically increasing the risk profile. Like the previous flaw, exploitation has been observed in the wild.

Another Critical Cisco Vulnerability Revealed: CVE-2025-20363 (CVSS 9.0)

A third vulnerability, CVE-2025-20363, was also disclosed alongside the exploited flaws. While Cisco’s advisory cites no evidence of public exploitation or active use, the vulnerability remains critical due to its potential impact. It affects a broader range of Cisco platforms, including IOS, IOS XE, and IOS XR, in addition to ASA and FTD software, and could allow attackers to execute arbitrary code as root under certain conditions.

Details of CVE-2025-20363 (SOCRadar Vulnerability Intelligence)

For more details and a complete list of Cisco’s official vulnerability advisories, visit the Cisco Security Advisory portal.

How Are Attackers Exploiting These Vulnerabilities?

According to Cisco and CISA’s emergency directive, attackers are conducting coordinated, widespread attacks leveraging CVE-2025-20333 and CVE-2025-20362.

They have demonstrated a high level of sophistication, including:

• Persistence via ROMMON manipulation, surviving device reboots and software upgrades.
• Disabling logs and intercepting CLI commands to avoid detection.
• Intentionally crashing devices to hinder forensic analysis.

The campaign is targeting older 5500-X series models that lack Secure Boot and Trust Anchor technologies. These models have either reached or are approaching end-of-support and are particularly vulnerable to persistent compromise.

The exploitation has been attributed to the ArcaneDoor threat campaign, previously known to abuse other zero-day flaws in Cisco ASA and FTD products. Advanced malware tools such as LINE VIPER, RayInitiator, and Line Dancer have been deployed to maintain control and exfiltrate data.

SOCRadar’s Vulnerability Intelligence, Cyber Threat Intelligence module

SOCRadar’s Cyber Threat Intelligence module empowers security teams with real-time insights into actively exploited CVEs like CVE-2025-20333 and CVE-2025-20362. Get early warnings, patch intelligence, and threat context before attackers reach your perimeter.

Which Devices Are at Risk?

The following devices are known to be vulnerable, especially if running affected software versions:

• ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X (especially those without Secure Boot)
• Any Cisco Secure Firewall or Firepower device with VPN web services enabled

What CISA’s Emergency Directive Means for Cisco ASA and FTD Security

CISA mandates urgent actions for all Federal Civilian Executive Branch (FCEB) agencies:

• Identify all Cisco ASA and Firepower devices in their environments.
• Collect memory data and transmit it to CISA for forensic analysis by 11:59 PM EDT on September 26, 2025.
• Assess devices for compromise using CISA-provided tools and techniques.
• Disconnect any end-of-support ASA devices no later than September 30, 2025.
• Patch uninfected devices by 12:00 PM EDT on September 26, 2025.

CISA also urges all organizations, public and private, to review the directive and adopt similar countermeasures where applicable.

How to Respond: Mitigation and Recovery for Cisco ASA and FTD Devices

1. Upgrade to Fixed Software Releases

Cisco has released patches for all affected software versions. For compromised devices, upgrading to a fixed release also removes persistent malware injected via ROMMON. Look for a firmware_update.log file on the system to confirm this cleanup process occurred.

2. Disable SSL VPN Services (Temporary Mitigation)

If immediate patching is not possible:

• Disable IKEv2 client services: Prevents VPN client software updates.
• Disable SSL VPN: Stops web-based remote access capabilities.

These steps are only temporary and do not fully mitigate the threat. Upgrade is the only long-term solution.

3. Rebuild Device Configurations Post-Compromise

Devices suspected of compromise should be reset to factory defaults, and all configurations (passwords, keys, certificates) must be recreated from scratch.

Commands:

• Use configure factory-default if available.
• Or use write erase followed by reload.

4. Disconnect End-of-Life Devices

Any devices past their last support date should be removed from your network.

A list of impacted and end-of-life devices, along with upgrade and mitigation guidance, is available on Cisco’s event response page.

Also Important: Cisco’s Latest SNMP Vulnerability Updates

Cisco also recently released security advisories primarily addressing critical issues in the SNMP subsystem of IOS and IOS XE software. These advisories included 17 vulnerabilities in total – nine rated high and eight medium severity. The most urgent, CVE-2025-20352, is a zero-day already exploited in the wild that can trigger Denial of Service (DoS) attacks or even RCE as root.

Map and Monitor Your Entire Attack Surface with SOCRadar

Today’s threats do not stop at firewalls – and neither should your visibility. SOCRadar’s Attack Surface Management (ASM) module helps security teams discover and monitor exposed digital assets across your entire infrastructure.

Monitor your company assets and vulnerabilities with SOCRadar’s Attack Surface Management module

Key capabilities of the ASM module include:

• Continuous discovery of internet-facing assets and services
• Real-time exposure monitoring and alerting
• Vulnerability detection across web apps, ports, and domains
• Shadow IT identification and prioritization
• Geo-distributed scanning for global visibility

Proactively secure your perimeter before threat actors exploit it.