Attack on the Cisco ASA Zero-Day Duo Causes CISA to Issue an Emergency Mitigation Directive
“An alarming situation has emerged for Cisco ASA customers as they need to urgently patch two security flaws.”
Due to two security issues that have been exploited in the wild, Cisco is advising users to patch the VPN web server of its Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software.
The zero-day vulnerabilities in question are listed below –
- CVE-2025-20333 (CVSS score: 9.9) – An authenticated remote attacker with legitimate VPN user credentials may be able to run arbitrary code as root on a compromised device by sending specially crafted HTTP requests due to a vulnerability in HTTP(S) requests that fails to properly validate user-supplied information.
- CVE-2025-20362 (CVSS score: 6.5) – An unauthenticated remote attacker may be able to gain unauthorized access to restricted URL endpoints by sending crafted HTTP requests due to a vulnerability in HTTP(S) requests that fails to properly validate user-supplied information.
Cisco stated that it is aware of “attempted exploitation” of both vulnerabilities, although it did not specify the extent of the attacks or the potential perpetrator. It is believed that the two flaws are being combined to run malicious malware on vulnerable equipment and get around authentication.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security, the Australian Signals Directorate, the Australian Cyber Security Centre (ACSC), and the National Cyber Security Centre (NCSC) of the United Kingdom were also acknowledged for their assistance with the investigation.
CISA Issues Emergency Directive ED 25-03#
| Separately, CISA announced that it is issuing an emergency directive that requires government agencies to immediately detect, assess, and mitigate potential compromises. Additionally, the agencies now have 24 hours to implement the required mitigations because both vulnerabilities have been published to the Known Exploited Vulnerabilities (KEV) catalog.
“CISA is aware that Cisco Adaptive Security Appliances (ASA) are the focus of an ongoing exploitation campaign by an advanced threat actor.”
“The campaign is broad and uses read-only memory (ROM) manipulation to persist across system upgrades and reboots, as well as zero-day vulnerabilities to obtain unauthenticated remote code execution on ASAs. Victim networks are at serious risk from this action.
“At least as early as 2024, this threat actor has proven that they are capable of successfully altering ASA ROM.”
“Certain Cisco Firepower versions also contain these zero-day vulnerabilities in the Cisco ASA platform. The Secure Boot feature of Firepower appliances would identify the ROM modification.” |
The agency added that the behavior is associated with a threat cluster known as ArcaneDoor, which was previously found to target Cisco and other vendors’ perimeter network equipment to distribute malware families, including Line Runner and Line Dancer. A threat actor known as UAT4356 (also known as Storm-1849) was blamed for the activities.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Suspect Arrested in Cyberattack at European Airport Associated with Obscure Ransomware
About Author
English