Cisco confirmed on September 26 a sophisticated attack campaign against ASA 5500-X series devices since May 2025. Three zero-day vulnerabilities are being exploited: CVE-2025-20333 (CVSS 9.9) for remote code execution on the web VPN server, CVE-2025-20362 (CVSS 6.5) for unauthorized access to the web VPN server, and CVE-2025-20363 (CVSS 9.0) affecting IOS, IOS XE and IOS XR via HTTP server. CVE-2025-20352 (CVSS 7.7) in the SNMP subsystem also continues to be exploited. The case demands immediate action from those involved.
The same threat actor behind the 2024 ArcaneDoor operation demonstrates advanced capabilities, including modification of ROMMON for persistence through reboots and software updates. The attacks target Cisco ASA 5500-X series devices running versions 9.12 or 9.14 with web VPN services enabled. Only models without Secure Boot support were compromised: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X.
Recommendations:
- Immediately inventory all Cisco ASA platforms (ASA hardware, ASA-Service Module, ASA Virtual and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense appliances according to ED 25-03 directive methodology.
- For all internet-facing ASA hardware appliances, execute CISA’s Core Dump and Hunt Parts 1-3 step-by-step instructions and submit core dumps via Malware Next Gen portal by September 26, 2025, 11:59 PM EDT (more information at link: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cis…).
- Permanently disconnect end-of-support ASA hardware devices on or before September 30, 2025.
- Apply latest Cisco updates by September 26, 2025 and subsequent ones within 48 hours.
- For devices that cannot be immediately updated, disable all SSL/TLS VPN services, including IKEv2 client services that facilitate software updates and endpoint client profiles, and all SSL VPN services.
- Report complete inventory by October 2, 2025 using CISA template.
- For suspected or confirmed compromised devices, perform complete reset to factory configurations after updating to patched version, replacing all configurations — especially local passwords, certificates and keys — with newly generated credentials
SEK maintains active monitoring of this campaign and is prepared to provide specialized support in incident response, forensic analysis and implementation of compensatory security controls. Our team can assist in identifying compromised devices, safely executing recovery procedures and implementing security architectures resilient against advanced persistent threats.
