Cybersecurity agencies on both sides of the Atlantic are sounding the alarm over Cisco firewall vulnerabilities that are being exploited by an “advanced threat actor.”
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on Thursday, saying there is “an unacceptable risk” to government systems if Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices are left unpatched. Federal agencies have been given just 24 hours to identify affected kit, check logs for compromise, and apply Cisco’s fixes.
CISA also warned that any ASA boxes hitting end-of-life on September 30 shouldn’t just be patched – they need to be yanked off networks for good.
The UK’s National Cyber Security Centre has also urged organizations to patch the vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which are being abused to “implant malware, execute commands, and potentially exfiltrate data from compromised devices.”
Cisco released patches for the flaws on Thursday, and warned that when chained together, they could let attackers remotely take complete control of devices.
The networking giant has also admitted that it knew these flaws were being exploited as far back as May, when government incident responders called it in to help investigate intrusions on ASA 5500-X firewalls. Attackers were already dropping implants, running commands, and siphoning data – a detail that makes the months-long delay in raising the wider alarm all the more uncomfortable.
Cisco assesses with “high confidence” that this wave of exploitation is tied to the ArcaneDoor campaign it reported last year. The company described the activity as “highly targeted,” involving custom implants and persistence mechanisms designed to maintain long-term access.
- Zero-day deja vu as another Cisco IOS bug comes under attack
- US puts $10M bounty on three Russians accused of attacking critical infrastructure
- FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure
- Cisco’s Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole
ArcaneDoor first came to light in April 2024, when Cisco patched two zero-day flaws in ASA and FTD firewalls that had already been exploited to break into government and telecom networks. Cisco pinned the activity on a threat crew it dubbed UAT4356, which had been abusing the bugs to compromise government systems worldwide since November 2023.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted,” the company said, adding that the threat group has the “hallmarks of a sophisticated state-sponsored actor.”
Security researchers reckon the fingerprints look familiar. By investigating the attacker-controlled IP addresses flagged by Cisco Talos and cross-checking them against certificate data, Censys uncovered links to major Chinese networks and traces of homegrown anti-censorship software.
And if all that wasn’t bad enough, the firewall fiasco lands barely 24 hours after Cisco admitted yet another zero-day was being exploited in its IOS software. For customers, it’s starting to look less like bad luck and more like a habit. ®
