What happened?
In September 2025, Cisco released urgent security updates for two newly discovered vulnerabilities affecting both its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) solutions, confirming “attempted exploitation” of both CVE-2025-20333 (severity 9.9) and CVE-2025-20362 (severity 6.5) in the wild.
Attackers have been observed exploiting multiple zero-day vulnerabilities, employing tactics to evade evasion, such as disabling logging and deliberately crashing devices, to hinder forensic analysis and hide their tracks.
In response, CISA issued a rare emergency directive requiring all federal civilian executive branch agencies to patch affected devices within 24 hours, highlighting the widespread nature of the attack.
National security agencies have also issued separate warnings about the risks these vulnerabilities pose to organisations, including the UK’s NCSC and counterparts in Canada, France, and the Netherlands.
Despite the urgency of the updates, the Shadowserver Foundation reports that as of 3 October, approximately 30,000 vulnerable devices still remain exposed to the internet.
So what?
CISA reports that attackers have managed to gain unauthorised access to ASA devices, manipulating them so that their access persists through reboots and system upgrades. This grants the threat actors remote code execution (RCE) capabilities and full control over compromised devices.
Cisco’s investigation revealed a memory corruption flaw at the centre of the campaign, both vulnerabilities stemming from inadequate validation of HTTPS requests, meaning Cisco firewalls could inadvertently process malicious traffic that circumvents authentication controls.
Specifically, CVE-2025-20362 enables attackers to reach sensitive VPN-related URLs, while CVE-2025-20333 opens the door for unauthorised users to execute code with root privileges.
Further analysis from the UK’s National Cyber Security Centre (NCSC) highlighted the attackers’ toolkit, which included a shellcode loader dubbed ‘Line Viper’ and a GRUB bootkit known as ‘RayInitiator’. These tools were used to establish deeper persistence and evade detection within compromised environments.
An investigation by Cisco links this campaign to the same state-sponsored group behind last year’s ArcaneDoor attacks. This focus on persistence and stealth rather than traditional malware deployment marks a shift in approach from the attackers.
What should I do?
Early detection and swift remediation are crucial in preventing attackers from gaining a persistent foothold in your environment, reducing the risk of further compromise and operational disruption.
Apply the latest patches - this is the most effective mitigation, as recommended by Cisco, as no workarounds are currently available.
Treat all device configurations as potentially compromised - Cisco recommends that "all configurations - especially local passwords, certificates, and keys - are replaced after the upgrade to a fixed release”. This can be achieved through use of the ‘configure factory-default’ command in global configuration mode, then reconfigure with fresh credentials and certificates.
In the event that the recommended patches cannot be applied, consider the use of temporary hardening measures; restricting exposure of VPN web interfaces and increasing monitoring for suspicious logins can reduce your attack surface until an update is possible.