Cisco has issued urgent advisories to customers regarding two critical Cisco ASA Zero-Day Vulnerabilities affecting its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. The vulnerabilities, which are actively being exploited in the wild, target the VPN web server and pose severe security risks for organizations using these appliances.
Details of the Cisco ASA Zero-Day Vulnerabilities
The two flaws of Cisco ASA Zero-Day Vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, have been assigned CVSS scores of 9.9 and 6.5, respectively.
- CVE-2025-20333 is a high-severity flaw caused by improper validation of user-supplied input in HTTP(S) requests. It could allow an authenticated remote attacker with valid VPN credentials to execute arbitrary code as root on an affected device by sending specially crafted HTTP requests.
- CVE-2025-20362 allows unauthenticated remote attackers to access restricted URL endpoints without authentication, also through improperly validated HTTP(S) requests. While this vulnerability has a lower CVSS score, its potential for initial access makes it significant in combination with other attacks.
Cisco has confirmed “attempted exploitation” of both Cisco ASA Zero-Day Vulnerabilities and warned that attackers may chain these flaws to bypass authentication and execute malicious code on compromised appliances.
Immediate Mitigation Measures
Given the severity of the Cisco ASA Zero-Day Vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive ED 25-03, instructing federal agencies to immediately identify, analyze, and mitigate potential compromises. Both CVEs have also been added to the Known Exploited Vulnerabilities (KEV) catalog, requiring agencies to implement mitigations within 24 hours.
Cisco customers are strongly advised to apply patches as soon as possible and review system configurations for signs of compromise. Security teams should monitor ASA and FTD appliances for unusual activity, including unauthorized access attempts or signs of ROM manipulation.
Threat Actor and Campaign Information
The ongoing Cisco ASA Zero-Day Vulnerabilities, has been linked to a threat cluster identified as ArcaneDoor and attributed to the threat actor UAT4356 (also known as Storm-1849). According to CISA, this actor has demonstrated the capability to manipulate ASA read-only memory (ROM) as early as 2024, potentially persisting through system reboots and upgrades.
ArcaneDoor activity typically targets perimeter network devices to deliver malware families such as Line Runner and Line Dancer, with the goal of gaining remote code execution and maintaining long-term access. While Cisco Firepower appliances’ Secure Boot functionality can detect ROM manipulation, organizations using ASA and FTD devices remain at high risk if patches are not applied promptly.
Cisco credited several international cybersecurity agencies for their support in investigating the vulnerabilities, including the Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security, and the U.K. National Cyber Security Centre (NCSC). This collaboration underscores the global significance of the ASA zero-day flaws and highlights the need for coordinated response efforts.
Recommendations for Organizations
Cybersecurity experts emphasize that organizations running Cisco ASA or FTD appliances should:
- Patch Immediately – Apply Cisco’s security updates to address CVE-2025-20333 and CVE-2025-20362 without delay.
- Review Logs and Alerts – Monitor system logs for suspicious VPN login attempts, unusual HTTP requests, or signs of unauthorized configuration changes.
- Audit Network Segmentation – Ensure that affected appliances are properly segmented and critical systems are protected against lateral movement.
- Consider Incident Response Readiness – Prepare to engage DFIR (Digital Forensics and Incident Response) services in case of compromise, particularly if ROM manipulation is suspected.
For cybersecurity teams, the ASA zero-day campaign represents a critical reminder of the importance of proactive patch management, real-time monitoring, and rapid incident response. Given the scale of the threat, organizations should assume that unpatched devices are at immediate risk and take action accordingly.
