Nearly 50,000 Cisco ASA/FTD instances vulnerable to two bugs that are actively being exploited by “advanced” attackers remain exposed to the internet, according to Shadowserver data.
The internet monitoring outfit said that as of Monday, the internet-facing Cisco firewalls are potentially exploitable, with the vast majority of those – more than 19,000 – located in the US.
The vulnerabilities in question are CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5), which affect Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.
National security agencies such as the UK’s NCSC and its equivalents in Canada, France, and the Netherlands each issued separate advisories warning of the threat the vulnerabilities present to organizations.
CISA issued a rare order to all federal civilian executive branch (FCEB) agencies to patch the vulnerabilities within 24 hours.
When bugs like this are added to CISA’s Known Exploited Vulnerability catalog, FCEB agencies are typically afforded a three-week window in order to apply patches.
A 24-hour window is rare, but not unheard of, and is only used in cases where the likelihood of exploitation is especially high.
CISA told all agencies that failing to patch affected devices would introduce an “unacceptable risk” to government systems.
The vulnerabilities affect Cisco ASA software versions: 9.12, 9.14, 9.16 to 9.20, and 9.22 to 9.23. They also affect ASA and FTD versions 7.0 to 7.4, and 7.6 to 7.7.
Both the NCSC and CISA said the successful attacks seen so far are highly likely launched by those behind the ArcaneDoor attack campaign, who previously targeted the same Cisco products in 2024 by exploiting zero-days.
- Zero-day deja vu as another Cisco IOS bug comes under attack
- FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure
- Cisco’s Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole
- Watch out, another max-severity, make-me-root Cisco bug on the loose
This time, the NCSC said the attackers are deploying malware called RayInitiator and Line Viper. RayInitiator, a bootkit designed to ensure stealthy and persistent access to devices and target networks, facilitates the deployment of Line Viper, a shellcode loader.
The NCSC said the deployment of malware via a persistent bootkit represents a sophisticated evolution in tradecraft compared to the ArcaneDoor campaign.
The devices at risk of exploitation are 5500-X-series firewalls. All of the targeted attacks so far have focused on devices either no longer supported with security updates or whose support ends today.
Some 5500-X-series devices go EOL in August 2026, which should be patched, but if there are no updates available for your deployment, then it’s time to rip it out for good, the natsec agencies advised.
“It is critical for organizations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation,” NCSC CTO Ollie Whitehouse said last week.
“We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.
“End-of-life technology presents a significant risk for organizations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.” ®
