Cisco on Thursday released emergency patches for two firewall vulnerabilities exploited as zero-days in attacks linked to the ArcaneDoor espionage campaign.
Tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), the bugs impact the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.
The issues, Cisco explains, exist because user-supplied input in HTTP(S) requests is not properly validated, allowing a remote attacker to send crafted requests and execute arbitrary code with root privileges or access a restricted URL without authentication.
The attacker needs valid VPN user credentials to exploit the critical-severity defect, but can exploit the medium-severity one without authentication.
Both vulnerabilities, Cisco notes in a fresh alert, were discovered after it was called in May 2025 to assist with investigating attacks targeting government organizations, in which ASA 5500-X series devices with VPN web services enabled were compromised.
As part of the attacks, which Cisco linked to the ArcaneDoor espionage campaign flagged last year, the zero-days allowed hackers to deploy malware, run commands, and likely exfiltrate data from the compromised devices.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” Cisco explains.
While it has yet to be confirmed by the wider cybersecurity community, there is some evidence suggesting that the hackers behind the ArcaneDoor campaign are based in China.
The threat actor was seen tampering with the devices’ read-only memory (ROM) to ensure persistence across reboots and software updates. These modifications were possible because the compromised devices do not support Secure Boot and Trust Anchor.
According to Cisco, the hackers successfully compromised 5512-X, 5515-X, and 5585-X devices, which have been discontinued, as well as 5525-X, 5545-X, and 5555-X models, which will be discontinued on September 30, 2025.
The vulnerable ASA software runs on ASA 5505-X, 5506H-X, 5506W-X, 5508-X, and 5516-X devices, and on all Firepower and Secure Firewall models, but these products support Secure Boot and Trust Anchors and Cisco has not observed their successful compromise.
Users are advised to update their devices as soon as possible, as the fixed release will automatically check the ROM and remove the attackers’ persistence mechanism. Users are also advised to rotate all passwords, certificates, and keys following the update.
“In cases of suspected or confirmed compromise on any Cisco firewall device, all configuration elements of the device should be considered untrusted,” Cisco notes. The company also released a detection guide to help organizations hunt for potential compromise associated with the ArcaneDoor campaign.
The UK’s National Cyber Security Centre (NCSC) published a technical analysis (PDF) of the malware identified in the observed attacks, recommending that the vulnerable ASA 5500-X series models that have been or will soon be discontinued be replaced as soon as possible.
“The NCSC is calling on network defenders using affected products to urgently investigate this activity and has published new analysis of the malware components – dubbed RayInitiator and LINE VIPER – to assist with detection and mitigation,” NCSC notes.
On Thursday, the US cybersecurity agency CISA added both CVE-2025-20333 and CVE-2025-20362 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address them within one day.
CISA also issued Emergency Directive ED 25-03, mandating that federal agencies identify all Cisco ASA and Firepower devices in their environments, collect memory files, and send them to CISA for forensic analysis by the end of the day on September 26.
“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign,” CISA notes.
On Thursday, Cisco also released patches for CVE-2025-20363 (CVSS score of 9.0), a remote code execution bug that can be exploited without authentication on devices running ASA and FTD software, but requires authentication on products running IOS, IOS XE, and IOS XR software.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device,” the company notes.
CVE-2025-20363 does not appear to have been exploited in the wild, although Cisco mentions it in the alert detailing the observed compromise.
Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Related: Cisco Patches High-Severity IOS XR Vulnerabilities
Related: Chinese Hackers Lurked Nearly 400 Days in Networks With Stealthy BrickStorm Malware
Related: Bridging the Gap Between Training and Behavior
