Urgent Cisco Security Advisory: Critical Vulnerabilities Identified
Cisco has recently announced a pressing need for its customers to address two significant security vulnerabilities found in the VPN web server functionality of its Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. These vulnerabilities have reportedly been exploited by malicious actors in the wild, leading to increased urgency for users to implement the necessary patches.
Overview of Critical Vulnerabilities
The identified vulnerabilities are as follows:
-
CVE-2025-20333 (CVSS Score: 9.9): This critical vulnerability stems from inadequate validation of user-supplied input in HTTP(S) requests. An authenticated remote attacker with legitimate VPN user credentials could execute arbitrary code as root on affected devices by sending specifically crafted HTTP requests.
- CVE-2025-20362 (CVSS Score: 6.5): This vulnerability also relates to improper validation of input in HTTP(S) requests. However, in this case, an unauthenticated remote attacker could access restricted URL endpoints without requiring authentication, again using carefully designed HTTP requests.
Cisco has reported that it is aware of attempted exploitation of these vulnerabilities but has not disclosed details about the attackers or the scope of the incidents. There are indications that these vulnerabilities may be exploited in conjunction to bypass authentication mechanisms, enabling the execution of malicious code on vulnerable appliances.
Collaboration with Cyber Security Agencies
Throughout this investigation, Cisco received support from various cybersecurity organizations, including the Australian Signals Directorate, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, U.K. National Cyber Security Centre (NCSC), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This collaboration highlights the significant focus on safeguarding network security amidst evolving threats.
CISA’s Emergency Directive: ED 25-03
In response to these threats, CISA has issued an emergency directive mandating federal agencies to promptly identify, analyze, and mitigate potential compromises. The identified vulnerabilities have also been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, compelling agencies to implement necessary mitigations within a 24-hour timeframe.
The agency has stated, "CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA)." This campaign has been characterized by its extensive reach and sophistication, taking advantage of these zero-day vulnerabilities for unauthenticated remote code execution on ASAs and manipulating read-only memory (ROM) to ensure persistence through system reboots and upgrades.
Link to Threat Actor: ArcaneDoor
CISA has connected this malicious activity to a threat cluster known as ArcaneDoor. This group has previously been identified as targeting perimeter network devices from various vendors, including Cisco, for propagating malware such as Line Runner and Line Dancer. The activities of this group have been attributed to a threat actor referred to as UAT4356 (also known as Storm-1849).
CISA further warns that this threat actor has successfully modified ASA ROM as early as 2024, showcasing an alarming capability to exploit these zero-day vulnerabilities, which are also present in certain versions of Cisco Firepower appliances. Luckily, the Secure Boot feature of these appliances is designed to detect any unauthorized manipulations to the ROM.
As organizations continue to bolster their cybersecurity postures, it is crucial for Cisco users to stay vigilant and proactive in addressing these vulnerabilities to protect their networks from potential threats. With security risks evolving rapidly, timely action can be the key to preventing significant breaches.
