Cisco warned this week that two vulnerabilities, which have been utilized in zero-day assaults, at the moment are being exploited to power ASA and FTD firewalls into reboot loops.
The tech large launched safety updates on September 25 to deal with the 2 safety flaws, stating that CVE-2025-20362 permits distant menace actors to entry restricted URL endpoints with out authentication, whereas CVE-2025-20333 permits authenticated attackers to achieve distant code execution on susceptible gadgets.
When chained, these vulnerabilities permit distant, unauthenticated attackers to achieve full management over unpatched methods.
The identical day, CISA issued an emergency directive ordering U.S. federal companies to safe their Cisco firewall gadgets in opposition to assaults utilizing this exploit chain inside 24 hours. CISA additionally mandated them to disconnect ASA gadgets reaching their finish of help (EoS) from federal group networks.
Risk monitoring service Shadowserver is at the moment monitoring over 34,000 internet-exposed ASA and FTD situations susceptible to CVE-2025-20333 and CVE-2025-20362 assaults, down from the almost 50,000 unpatched firewalls it noticed in September.
Now exploited in DoS assaults
“Cisco beforehand disclosed new vulnerabilities in sure Cisco ASA 5500-X gadgets working Cisco Safe Firewall ASA software program with VPN net companies enabled, found in collaboration with a number of authorities companies. We attributed these assaults to the identical state-sponsored group behind the 2024 ArcaneDoor marketing campaign and urged prospects to use the accessible software program fixes,” a Cisco spokesperson informed BleepingComputer this week.
“On November 5, 2025, Cisco grew to become conscious of a brand new assault variant concentrating on gadgets working Cisco Safe ASA Software program or Cisco Safe FTD Software program releases affected by the identical vulnerabilities. This assault could cause unpatched gadgets to unexpectedly reload, resulting in denial of service (DoS) situations.”
CISA and Cisco linked the assaults to the ArcaneDoor marketing campaign, which exploited two different Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach authorities networks worldwide beginning in November 2023. The UAT4356 menace group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor assaults deployed beforehand unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to take care of persistence on compromised methods.
On September 25, Cisco mounted a 3rd essential vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software program, which may permit unauthenticated menace actors to execute arbitrary code remotely. Nevertheless, it did not straight hyperlink it to the assaults exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Safety Incident Response Workforce was “not conscious of any public bulletins or malicious use of the vulnerability.”
Since then, attackers have began exploiting one other just lately patched RCE vulnerability (CVE-2025-20352) in Cisco networking gadgets to deploy rootkit malware on unprotected Linux containers.
Extra just lately, on Thursday, Cisco launched safety updates to patch essential safety flaws in its Contact Heart software program, which might allow attackers to bypass authentication (CVE-2025-20358) and execute instructions with root privileges (CVE-2025-20354).
“We strongly suggest all prospects improve to the software program fixes outlined in our safety advisories,” Cisco added on Thursday.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, safety groups are shifting quick to maintain these new companies secure.
This free cheat sheet outlines 7 finest practices you can begin utilizing right this moment.
