Cisco Firewall Vulnerability
Ransomware Recovery Services

New Cisco Vulnerabilities in ASA and FTD Devices

In September 2025, Cisco disclosed three critical vulnerabilities affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, primarily targeting the VPN web server component. Two of these (CVE-2025-20333 and CVE-2025-20362) — actively exploited in the wild as zero-days by a sophisticated state-sponsored group tracked as UAT4356 (also referred to as the “ArcaneDoor” actor by Cisco). The third (CVE-2025-20363) is a high-risk flaw with potential for imminent exploitation, though no active use has been confirmed. These issues impact ASA software versions 9.12 through 9.23 and FTD versions 7.0 through 7.7 when VPN features (e.g., AnyConnect IKEv2, Mobile User Security, or SSL VPN) are enabled.

Cisco released patches on September 25, 2025, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 on the same day, mandating federal agencies to inventory, analyze, and patch affected devices within 48 hours of release—or disconnect end-of-support hardware. As of late September 2025, approximately 48,800 internet-exposed Cisco ASA and FTD instances remained vulnerable, with over 19,000 in the U.S. alone.

How the Cisco Exploit Works

Attackers have been observed:

• Exploiting internet-facing VPN and management interfaces.
• Injecting malicious code directly into firmware for persistence.
• Disabling system logs and crash reports to evade detection.
• Maintaining long-term access even after patches or restarts

Once compromised, threat actors can move laterally across networks, capture credentials, and access sensitive internal data.

CISA Emergency Directive (ED 25-03)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-03, requiring all federal agencies to:

• Identify and inventory affected Cisco ASA and Firepower devices.
• Apply Cisco’s latest patches immediately.
• Disconnect or replace unsupported devices.
• Submit diagnostic data for forensic analysis.

Private sector organizations are strongly advised to follow these same steps to reduce exposure and mitigate potential breaches.

How to Mitigate the Cisco Vulnerability

To protect your organization, Alvaka recommends:

• Patching all Cisco ASA and Firepower devices immediately.
• Auditing VPN and management interfaces for unauthorized access.
• Replacing end-of-life hardware lacking Secure Boot or Trust Anchor capabilities.
• Implementing multi-factor authentication (MFA) for all administrative access.
• Monitoring network logs for unusual patterns or connection attempts.
• Developing an incident response plan for potential compromise scenarios.

Being proactive, maintaining updated systems, and reviewing device configurations are essential to prevent exploitation.