1 min read

ADVISORY—Critical Cisco ASA/FTD Zero-Day Vulnerabilities Under Active Attack

Picture of Ray Hicks Ray Hicks : Sep 25, 2025 3:44:34 PM

Asset Discovery Vulnerability Assessment Advisories
ADVISORY—Critical Cisco ASA/FTD Zero-Day Vulnerabilities Under Active Attack

Cisco has confirmed that two zero-day vulnerabilities in the VPN web server of Cisco Secure Firewall ASA and FTD Software are actively exploited in the wild. These vulnerabilities allow attackers to execute arbitrary code or bypass authentication, potentially leading to full device compromise.

Oveview:

  • Date: 25 September 2025
  • Severity: Critical (CVE-2025-20333 – CVSS 9.9) / High (CVE-2025-20362 – CVSS 6.5)
  • Affected Products: Cisco Secure Firewall ASA and FTD Software with VPN web server features

Details of Vulnerabilities:

  1. CVE-2025-20333 (CVSS 9.9, Critical):
    - Improper validation of user input in HTTP(S) requests
    - Exploitable by authenticated remote attackers with VPN credentials
    - Can lead to arbitrary code execution as root
  2. CVE-2025-20362 (CVSS 6.5, High):
    - Improper validation of user input in HTTP(S) requests
    - Exploitable by unauthenticated remote attackers
    - Can access restricted URL endpoints without authentication

Threat Context:

  • Exploitation is believed to involve chaining both vulnerabilities to bypass authentication and execute malicious code.
  • The activity is linked to the ArcaneDoor threat cluster and threat actor UAT4356 (aka Storm-1849).
  • Attacks may manipulate ASA ROM to persist through reboot and system upgrades.
  • Suspected malware families involved: Line Runner and Line Dancer.

Actions Taken by Authorities:

  • CISA has issued Emergency Directive ED 25-03, urging federal agencies to immediately identify, analyze, and mitigate potential compromises.
  • Both vulnerabilities are now in the Known Exploited Vulnerabilities (KEV) catalog, requiring mitigation within 24 hours for federal agencies.

Recommendations:

  1. Immediate Patching: Upgrade to Cisco software versions that address these vulnerabilities. Use Cisco Software Checker to identify affected releases.
  2. Monitor VPN Traffic: Watch for unusual or unauthorized VPN access attempts.
  3. Verify Device Integrity: Check for signs of ROM manipulation or persistent compromise.

References:

Urgency: Immediate patching and monitoring are critical, as exploitation is ongoing and may lead to full device compromise.

If your organization has been impacted by this vulnerability and requires assistance, please contact us today.
ADVISORY—Cactus Ransomware Strikes Again: A Sophisticated Social Engineering Threat

ADVISORY—Cactus Ransomware Strikes Again: A Sophisticated Social Engineering Threat

Picture of Rich Pasewark - CEO, Board Director Rich Pasewark - CEO, Board Director : Feb 14, 2025 9:37:38 AM

Recently, UncommonX analysts identified a new Cactus ransomware attack, which was verified by Threat Research Engineers at Cisco TALOS Threat...

Networks Cybersecurity 24/7 SOC Threat Detection Advisories
Read More
ADVISORY—Google Chrome Zero-Day Vulnerability (CVE-2025-6554)

ADVISORY—Google Chrome Zero-Day Vulnerability (CVE-2025-6554)

Picture of Ray Hicks Ray Hicks : Jul 1, 2025 5:03:13 PM

Google has released a security update addressing a zero-day vulnerability in the Chrome browser that is currently being actively exploited in the wild

Asset Discovery Cyber Resilience Vulnerability Assessment Advisories
Read More
ADVISORY—Privilege Exposure: What It Is and How to Mitigate It

ADVISORY—Privilege Exposure: What It Is and How to Mitigate It

Picture of Ray Hicks Ray Hicks : Feb 6, 2025 6:29:30 PM

Privilege exposure may seem minor but can lead to devastating security incidents if left unchecked. Many organizations, particularly small and...

Asset Discovery Cyber Resilience Vulnerability Assessment Advisories
Read More