Cisco urges customers to patch two security flaws that affect the VPN web servers of the Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software.
The zero-day vulnerabilities in question are listed below –
- CVE-2025-20333 (CVSS score: 9.9) – Inappropriate validation of user-supported input on http(s) requests a vulnerability that allows an authenticated remote attacker with valid VPN user credentials to execute arbitrary code as root on the affected device by sending a crafted http request.
- CVE-2025-20362 (CVSS score: 6.5) – Inappropriate validation of user-supported input in http(s) requests requires a vulnerability that allows unauthenticated HTTP requests to be sent to access restricted URL endpoints without authentication.
Cisco said it recognizes “attempts to exploit both vulnerabilities, but did not reveal who is behind it or how widespread the attacks are. Two vulnerabilities are suspected to be chained to bypass authentication and run malicious code on sensitive appliances.
They also evaluated the Australian Signals Bureau, the Australian Cybersecurity Centre (ACSC), the Canada Cybersecurity Centre, the UK National Cybersecurity Centre (NCSC), and the US Cybersecurity and Infrastructure Security Agency (CISA) as supporting the investigation.
CISA issues emergency directive ED 25-03
In another alert, CISA said it is issuing emergency directives urging federal agencies to immediately and effectively identify, analyze and mitigate potential compromises. Additionally, both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog and are given to agents 24 hours a day to apply the necessary mitigations.
“CISA recognizes the ongoing exploitation campaigns by advanced threat actors targeting Cisco Adaptive Security Appliances (ASAs),” the agency said.
“This campaign is widely popular and leverages zero-day vulnerabilities to acquire remote code execution that is not certified on the ASA, and manipulates read-only memory (ROM) to maintain reboots and system upgrades. This activity poses a significant risk to the victim network.”
The agency has also previously identified as providing malware families such as Line Runner and Line Dancer, as activity is linked to a threat cluster called Arcanedoor and was previously identified as target peripheral network devices from several vendors, including Cisco. This activity was attributed to a threat actor called UAT4356 (aka Storm-1849).
“This threat actor demonstrates his ability to successfully change ASA ROMs, at least as early as 2024,” CISA added. “These zero-day vulnerabilities in the Cisco ASA platform also exist in certain versions of Cisco Firepower. The safe boots of firepower detect the identified operations of the ROM.”
