Despite Cisco and various cybersecurity agencies warning about attackers actively exploting zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco Adaptive Security Appliances (ASA) for months, there are still around 48,000 vulnerable appliances out there.
The number is provided by the Shadowser Foundation, which is scanning for internet-facing vulnerable Cisco ASA/FTD instances every day. A majority of those are located in the US, and the rest mostly in the UK, Japan, Russia, Germany, and Canada.
Surge in Cisco ASA scanning preceded public disclosure of attacks
In May 2025, Cisco was engaged by multiple cybersecurity agencies to support their investigation of attacks targeting government organizations via Cisco ASA 5500-X Series devices.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said.
They also noted that the tactics, techniques, and procedures (TTPs) and the custom malware employed by the attackers point to the involvement of the same (suspected state-sponsored) threat actor as the ArcaneDoor attack campaign.
In late August, i.e., several weeks before Cisco and the cybersecurity agencies shared details about the attacks and zero-days exploited, Greynoise detected scanning surges against Cisco ASA devices hitting ASA login portals, IOS Telnet/SSH and ASA software personas. The company warned at the time that future vulnerability disclosures were likely imminent.
Whether these scans were performed by the same threat actor is impossible to tell.
Cisco customers advised to act quickly
What’s sure is that Cisco ASA and FTD appliances are deployed by many government organizations and private sector companies, and they are of high value to all types of attackers.
Organizations should check whether their instances are vulnerable and if they are, check for indicators of compromise and ask Cisco for help if they aren’t sure how to go about it.
The company also advises customers to replace devices that will soon reach their out-of-support dated and update vulnerable devices to a fixed release as soon as possible. Local passwords, certificates, and keys on potentially compromised devices should also be replaced.
“This is best achieved by resetting the device to factory defaults after the upgrade to a fixed release and then reconfiguring the device from scratch with new passwords, and re-generated certificates and keys,” Cisco noted.
Affected organizations should also report any evidence of compromise to the cybersecurity agency in their respective countries.
Organizations that are using Cisco’s routers and switches meant for SMB, enterprise and industrial settings should also upgrade the firmware to fix a bucketload of vulnerabilities, including one (CVE-2025-20352) that has been exploited in zero-day attacks. (There’s currently no indication that these attacks and those targeting ASA devices are performed by the same threat actor.)
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
