The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a strong warning regarding critical vulnerabilities in Cisco’s Adaptive Security Appliances (ASA) and Firepower devices, which are essential for network security. These systems are, reportedly, being actively targeted by attackers.
The Two Big Problems
Two specific flaws, tracked as CVE-2025-20362 and CVE-2025-20333, are the main concern. CVE-2025-20362 allows an attacker to bypass the login requirement and access a restricted area of the device. This then enables the second, more dangerous flaw (CVE-2025-20333), which allows the attacker to run their own malicious code as the ‘root’ user, possibly leading to complete control of the affected device.
Reportedly, these two vulnerabilities are being collectively used by attackers in a campaign called ArcaneDoor to gain full control of the affected systems. Cisco first fixed these problems in September, but the threat from these active exploits continues, posing a risk to data and systems everywhere.
The Patching Problem
CISA’s Emergency Directive 25-03 (issued September 25) required immediate fixes. However, many organisations, including federal agencies, mistakenly believed they had updated their devices, with CISA finding that systems marked as ‘patched’ were actually still running vulnerable software.
The biggest issue CISA found is that simply updating wasn’t enough; organisations needed the correct minimum software version. For instance, Cisco ASA Release 9.12 requires version 9.12.4.72, and Release 9.14 requires 9.14.4.28, often accessible via a Special Release Download. CISA stresses that all Cisco ASA and Firepower devices must be updated immediately.
Organisations must update all Cisco ASA and Firepower devices, not just the ones facing the public internet. If devices were updated after September 26, 2025, or are still running vulnerable versions, CISA recommends additional steps to check for and remove any remaining threats.
New Attacks Emerge
Adding to the worries, Cisco also warned of a new variant of the attack, which can cause unpatched Cisco devices to suddenly stop working and restart (a denial of service or DoS condition). This new attack was noticed on November 5, 2025, highlighting the urgent need for all customers to immediately install the fixes released by Cisco.
Expert perspectives
Gunter Ollmann, CTO at Cobalt, shared exclusively with Hackread.com that the nature of these flaws, which target devices on the edge of a network, is particularly attractive to attackers because they allow the hackers to bypass many inner network defences. Ollmann notes that:
“The challenge is that organisations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”
Wade Ellery, Chief Evangelist at Radiant Logic, also speaking exclusively to Hackread.com, explains that once attackers breach devices like firewalls, their next goal is usually stealing user login information, and perimeter flaws that quickly lead to risks within user identity systems.
“The limitation is that many organisations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience,” Ellery stated.