Cisco warned this week that two vulnerabilities, which have been utilized in zero-day assaults, at the moment are being exploited to pressure ASA and FTD firewalls into reboot loops.
The tech large launched safety updates on September 25 to handle the 2 safety flaws, stating that CVE-2025-20362 permits distant risk actors to entry restricted URL endpoints with out authentication, whereas CVE-2025-20333 permits authenticated attackers to achieve distant code execution on weak gadgets.
When chained, these vulnerabilities permit distant, unauthenticated attackers to achieve full management over unpatched techniques.
The identical day, CISA issued an emergency directive ordering U.S. federal companies to safe their Cisco firewall gadgets towards assaults utilizing this exploit chain inside 24 hours. CISA additionally mandated them to disconnect ASA gadgets reaching their finish of assist (EoS) from federal group networks.
Risk monitoring service Shadowserver is at the moment monitoring over 34,000 internet-exposed ASA and FTD cases weak to CVE-2025-20333 and CVE-2025-20362 assaults, down from the almost 50,000 unpatched firewalls it noticed in September.
Now exploited in DoS assaults
“Cisco beforehand disclosed new vulnerabilities in sure Cisco ASA 5500-X gadgets working Cisco Safe Firewall ASA software program with VPN internet providers enabled, found in collaboration with a number of authorities companies. We attributed these assaults to the identical state-sponsored group behind the 2024 ArcaneDoor marketing campaign and urged clients to use the obtainable software program fixes,” a Cisco spokesperson instructed BleepingComputer this week.
“On November 5, 2025, Cisco grew to become conscious of a brand new assault variant focusing on gadgets working Cisco Safe ASA Software program or Cisco Safe FTD Software program releases affected by the identical vulnerabilities. This assault may cause unpatched gadgets to unexpectedly reload, resulting in denial of service (DoS) circumstances.”
CISA and Cisco linked the assaults to the ArcaneDoor marketing campaign, which exploited two different Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach authorities networks worldwide beginning in November 2023. The UAT4356 risk group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor assaults deployed beforehand unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to take care of persistence on compromised techniques.
On September 25, Cisco mounted a 3rd crucial vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software program, which might permit unauthenticated risk actors to execute arbitrary code remotely. Nevertheless, it did not immediately hyperlink it to the assaults exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Safety Incident Response Staff was “not conscious of any public bulletins or malicious use of the vulnerability.”
Since then, attackers have began exploiting one other lately patched RCE vulnerability (CVE-2025-20352) in Cisco networking gadgets to deploy rootkit malware on unprotected Linux packing containers.
Extra lately, on Thursday, Cisco launched safety updates to patch crucial safety flaws in its Contact Middle software program, which might allow attackers to bypass authentication (CVE-2025-20358) and execute instructions with root privileges (CVE-2025-20354).
“We strongly suggest all clients improve to the software program fixes outlined in our safety advisories,” Cisco added on Thursday.
It is finances season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising traits, and examine their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable impression.
