Threat actors are actively exploiting two critical zero-day vulnerabilities in Cisco Secure Firewall ASA and FTD software. CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) allow attackers to chain exploits that bypass authentication and execute malicious code. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive ED 25-03, mandating federal agencies to identify, mitigate, and patch affected systems within 24 hours. Continue reading this Cybersecurity Threat Advisory to learn how to reduce your organization’s exposure and defend against these threats.
What is the threat?
CVE-2025-20333 is an improper input validation vulnerability in HTTP(S) requests that allows an authenticated VPN user to execute arbitrary code as root—potentially granting full control of the device. CVE-2025-20362 is a related flaw that enables an unauthenticated attacker to bypass authentication and access restricted URL endpoints.
Threat actors are chaining these vulnerabilities: using CVE-2025-20362 to bypass authentication, followed by CVE-2025-20333 to achieve root-level code execution. The campaign has been attributed to ArcaneDoor/UAT4356 (Storm-1849), a sophisticated threat group known for targeting perimeter network devices and deploying malware families such as Line Runner and Line Dancer.
Exploitation techniques include ROM manipulation, allowing persistence across reboots and upgrades—making remediation significantly more complex. Certain Cisco Firepower versions are also affected. However, devices with Secure Boot enabled can detect ROM tampering, offering a layer of protection.
Why is it noteworthy?
These vulnerabilities pose a serious risk due to their critical severity and confirmed active exploitation in the wild. The inclusion of CVE-2025-20333 and CVE-2025-20362 in CISA’s Known Exploited Vulnerabilities (KEV) catalog, along with the issuance of Emergency Directive ED 25-03, highlights the urgency for immediate action.
Attackers’ ability to bypass authentication and gain root-level control of perimeter security devices could lead to widespread operational and security disruptions. This is especially concerning for organizations that rely on Cisco ASA and FTD appliances to safeguard high-availability environments and sensitive network infrastructure.
What is the exposure or risk?
The risks posed by these vulnerabilities are both severe and far-reaching. Successful exploitation can grant attackers full administrative control over Cisco ASA and FTD appliances, devices that often serve as the first line of defense for organizations networks.
With this level of access, adversaries can intercept or manipulate network traffic, disable security controls, and establish persistent backdoors that survive reboots and upgrades. Compromised devices may also serve as a launchpad for lateral movement, allowing attackers to escalate privileges and target other critical systems. This could result in the theft of sensitive data, deployment of ransomware, or disruption of essential services—leading to significant financial, operational, and reputational damage.
Devices that are publicly accessible or internet-facing and running unpatched versions are at the highest risk. A successful compromise could trigger cascading effects across interconnected networks, undermining the security and reliability of critical infrastructure.
What are the recommendations?
Barracuda recommends the following actions to take the following actions to reduce the risk of exploitation and protect critical network infrastructure from these and similar threats:
- Apply Cisco’s security updates for CVE-2025-20333 and CVE-2025-20362 as soon as possible to address gaps.
- Restrict access to ASA and FTD management portals to trusted networks only and enforce strong multi-factor authentication (MFA) for all administrative accounts.
- Remove unnecessary internet-facing services and place critical devices behind secure VPNs or firewalls to reduce attack surface.
- Implement continuous monitoring for unusual HTTP(S) requests, failed login attempts, or unexpected configuration changes, especially on perimeter devices.
- Check ASA and FTD appliances for unauthorized ROM modifications, and enable Secure Boot on Firepower devices to detect tampering.
- Use network segmentation, intrusion detection/prevention systems (IDS/IPS), and strict access controls to limit the impact of a successful attack.
- Regularly audit configurations and patch levels, and train IT/security teams to recognize and respond to exploitation attempts linked to ArcaneDoor and similar threat actors.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.