CISA Mandates Urgent Patching for Actively Exploited Cisco Zero-Day Flaws
▼ Summary
– CISA issued Emergency Directive 25-03 requiring federal agencies to patch two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco ASA and FTD software.
– The directive mandates agencies to identify all affected devices, disconnect compromised ones, and patch unaffected devices by a specific deadline, while permanently removing end-of-support hardware.
– These vulnerabilities, when chained, allow unauthenticated attackers to gain full remote control of devices, deploying persistent malware like LINE VIPER and the GRUB bootkit ‘RayInitiator’.
– The attacks are linked to the ArcaneDoor campaign conducted by the UAT4356 threat group, which has been targeting government networks globally since at least July 2023.
– Cisco has released patches for these flaws and a third critical vulnerability (CVE-2025-20363), though the third is not currently linked to these active attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has mandated immediate action from U.S. federal agencies to address two critical vulnerabilities in Cisco firewall products that are currently being exploited by attackers. This emergency directive, issued on September 25, targets flaws in Cisco’s Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software, identified as CVE-2025-20333 and CVE-2025-20362. The agency characterizes the threat as widespread, involving zero-day exploits that allow for unauthenticated remote code execution and sophisticated persistence mechanisms that survive device reboots and system upgrades.
Federal Civilian Executive Branch (FCEB) agencies are under a strict deadline to comply with the directive. They must immediately inventory all Cisco ASA and Firepower devices on their networks. Any devices found to be compromised must be disconnected. For systems showing no signs of intrusion, agencies are required to apply the necessary security patches by 12 PM EDT on September 26. Furthermore, any ASA devices that are approaching their end-of-support life must be permanently removed from agency networks by September 30.
According to analysis from the UK’s National Cyber Security Centre (NCSC), the attackers are focusing on 5500-X series devices that lack secure boot functionality. The campaign involves deploying a user-mode shellcode loader known as LINE VIPER and a persistent GRUB bootkit called ‘RayInitiator’. These tools enable the threat actors to implant malware, run commands, and potentially steal sensitive data from the compromised systems.
This activity is connected to the ongoing ArcaneDoor cyber espionage campaign. Cisco has released updates to fix the vulnerabilities, noting that when chained together, CVE-2025-20333 and CVE-2025-20362 can grant unauthenticated attackers complete remote control over vulnerable devices. The attackers have demonstrated advanced capabilities, including disabling system logging, intercepting command-line interface commands, and deliberately crashing devices to hinder forensic analysis. In some instances, the threat actors modified the read-only memory (ROM) to maintain their foothold even after a device is rebooted or its software is upgraded.
The ArcaneDoor campaign, attributed to a threat group tracked as UAT4356 (or STORM-1849), has been active since at least July 2023. It previously leveraged other Cisco zero-day flaws to breach government networks globally. In a related development, Cisco also patched a third critical vulnerability (CVE-2025-20363) in its firewall and IOS software last Friday. This flaw could allow remote code execution, though the company has stated it has not yet observed active exploitation of this particular vulnerability.
(Source: Bleeping Computer)