Cisco Issues Emergency Patches for Firewall Zero-Day Exploits

Cisco has released urgent security updates to address multiple vulnerabilities in its firewall products, two of which were actively exploited in cyber-espionage attacks linked to the ArcaneDoor campaign. The flaws pose significant risks to organizations relying on Cisco’s widely deployed Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

Details of the Vulnerabilities

The two primary vulnerabilities patched are:

• CVE-2025-20333 (CVSS 9.9): A critical flaw in the VPN web server component that allows remote code execution with root privileges when exploited using valid VPN credentials.

• CVE-2025-20362 (CVSS 6.5): A medium-severity flaw that allows unauthenticated access to restricted URLs.

Cisco explained that the issues stem from improper validation of user-supplied HTTP(S) requests, enabling attackers to craft malicious inputs that bypass normal security controls.

In addition, Cisco disclosed CVE-2025-20363 (CVSS 9.0), a newly identified remote code execution bug affecting ASA, FTD, IOS, IOS XE, and IOS XR software. Unlike the other two, this vulnerability has not yet been observed in the wild.

Exploitation in ArcaneDoor Campaign

Cisco first identified the flaws while investigating government-targeted intrusions in May 2025. Attackers compromised ASA 5500-X devices with VPN services enabled, deploying malware and executing commands while deliberately disabling logs and even crashing devices to prevent forensics.

The campaign’s sophistication included tampering with device firmware and exploiting the lack of Secure Boot and Trust Anchor support in older models, ensuring persistence across restarts and software updates. Evidence suggests that the attackers may be linked to China-based threat actors, though attribution remains unconfirmed.

Impacted Devices and Risk

Devices confirmed as compromised include:

• End-of-life ASA models: 5512-X, 5515-X, and 5585-X

• Soon-to-be-discontinued models: 5525-X, 5545-X, and 5555-X

While newer Firepower and Secure Firewall appliances are also technically vulnerable, Cisco has not observed successful compromises on devices that support Secure Boot and Trust Anchors.

Mitigation and Response

Cisco strongly advises users to immediately apply the emergency patches, which automatically scan for malicious persistence mechanisms in device ROM. Additional recommended steps include:

• Rotating all passwords, keys, and digital certificates

• Treating all configurations on compromised devices as untrusted

• Replacing discontinued hardware that cannot support security updates

Cisco has also released a detailed detection guide to help organizations identify signs of compromise.

Global Security Response

The UK’s National Cyber Security Centre (NCSC) has published a technical analysis of the ArcaneDoor malware components, dubbed RayInitiator and LINE VIPER, urging affected organizations to retire outdated ASA models immediately.

In the United States, CISA added CVE-2025-20333 and CVE-2025-20362 to its Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive ED 25-03. The directive requires federal agencies to:

• Identify all ASA and Firepower devices

• Collect forensic memory files for CISA analysis

• Disconnect unsupported models

• Upgrade and secure devices that remain in service

Conclusion

The ArcaneDoor-linked zero-days highlight the ongoing risk of sophisticated state-sponsored espionage campaigns targeting critical infrastructure. Cisco’s emergency patches, combined with CISA and NCSC guidance, underscore the urgency for organizations to update, harden, and modernize their firewall defenses.