4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.

Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.

CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.

CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.  

Overview 

The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities 

Technical Summary 

Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.

The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.

In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.

Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.

Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments. 

Recommendations: 

• Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software 

• Use the Cisco Software Checker to identify the earliest fixed release for your software version. 

• Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates. 

• Restart devices after installation and ensure auto-updates are enabled. 

• Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks. 

Conclusion: 
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.

Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure. 

References: 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW 

• https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html