ADVISORY—Critical Cisco ASA/FTD Zero-Day Vulnerabilities Under Active Attack

Cisco has confirmed that two zero-day vulnerabilities in the VPN web server of Cisco Secure Firewall ASA and FTD Software are actively exploited in the wild. These vulnerabilities allow attackers to execute arbitrary code or bypass authentication, potentially leading to full device compromise.

Oveview:

• Date: 25 September 2025
• Severity: Critical (CVE-2025-20333 – CVSS 9.9) / High (CVE-2025-20362 – CVSS 6.5)
• Affected Products: Cisco Secure Firewall ASA and FTD Software with VPN web server features

Details of Vulnerabilities:

1. CVE-2025-20333 (CVSS 9.9, Critical):
   - Improper validation of user input in HTTP(S) requests
   - Exploitable by authenticated remote attackers with VPN credentials
   - Can lead to arbitrary code execution as root
2. CVE-2025-20362 (CVSS 6.5, High):
   - Improper validation of user input in HTTP(S) requests
   - Exploitable by unauthenticated remote attackers
   - Can access restricted URL endpoints without authentication

Threat Context:

• Exploitation is believed to involve chaining both vulnerabilities to bypass authentication and execute malicious code.
• The activity is linked to the ArcaneDoor threat cluster and threat actor UAT4356 (aka Storm-1849).
• Attacks may manipulate ASA ROM to persist through reboot and system upgrades.
• Suspected malware families involved: Line Runner and Line Dancer.

Actions Taken by Authorities:

• CISA has issued Emergency Directive ED 25-03, urging federal agencies to immediately identify, analyze, and mitigate potential compromises.
• Both vulnerabilities are now in the Known Exploited Vulnerabilities (KEV) catalog, requiring mitigation within 24 hours for federal agencies.

Recommendations:

1. Immediate Patching: Upgrade to Cisco software versions that address these vulnerabilities. Use Cisco Software Checker to identify affected releases.
2. Monitor VPN Traffic: Watch for unusual or unauthorized VPN access attempts.
3. Verify Device Integrity: Check for signs of ROM manipulation or persistent compromise.

References:

• Cisco Security Advisory: cisco-sa-asaftd-webvpn-z5xP8EUB
• https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
• CVE-2025-20333 / CVE-2025-20362
  

Urgency: Immediate patching and monitoring are critical, as exploitation is ongoing and may lead to full device compromise.

If your organization has been impacted by this vulnerability and requires assistance, please contact us today.