Cisco ASA Firewalls Remain Vulnerable to Zero-Day Attacks
▼ Summary
– Around 48,000 Cisco ASA devices remain vulnerable to actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) despite warnings, with most located in the US.
– A surge in scanning of Cisco ASA devices was detected weeks before public disclosure of the attacks, though it’s unclear if the same threat actor was responsible.
– Attackers used advanced techniques like disabling logging and crashing devices, with evidence pointing to the same state-sponsored actor as the ArcaneDoor campaign.
– Cisco advises organizations to check for vulnerabilities, update devices, reset to factory defaults, and replace local credentials to secure their systems.
– Cisco also recommends upgrading firmware on routers and switches to address other vulnerabilities, including CVE-2025-20352, which has been exploited in zero-day attacks.
A significant number of Cisco Adaptive Security Appliances remain exposed to active zero-day attacks, with recent data indicating approximately 48,000 vulnerable devices still connected to the internet. Security organizations continue to track these internet-facing systems daily, finding most located within the United States followed by the United Kingdom, Japan, Russia, Germany, and Canada. The persistence of these unpatched systems creates ongoing risks for organizations worldwide.
Before cybersecurity agencies publicly revealed attack details, monitoring services detected unusual scanning activity targeting Cisco ASA equipment. These scans focused on ASA login interfaces, IOS Telnet and SSH services, and ASA software components, suggesting attackers were preparing for exploitation. While the origin of these reconnaissance efforts remains unconfirmed, their timing strongly indicated upcoming vulnerability disclosures.
Earlier this year, Cisco collaborated with multiple cybersecurity agencies investigating sophisticated attacks against government networks. The incidents involved Cisco ASA 5500-X Series devices where threat actors leveraged multiple zero-day vulnerabilities while implementing advanced evasion methods. Attackers deliberately disabled logging systems, intercepted command-line interface commands, and forced device crashes to obstruct forensic analysis. Security researchers noted that the tactics and custom malware employed closely matched those used in the earlier ArcaneDoor campaign, suggesting possible involvement by the same state-sponsored threat group.
The continued presence of vulnerable systems presents serious concerns given the widespread deployment of Cisco ASA and FTD appliances across government and corporate networks. These high-value targets attract various threat actors seeking access to sensitive environments. Organizations must immediately verify whether their systems are affected by these vulnerabilities and examine them for potential compromise indicators. Those uncertain about proper investigation procedures should contact Cisco’s technical support directly.
Cisco strongly recommends that customers replace equipment approaching end-of-support dates and promptly update vulnerable devices to patched software versions. For systems potentially compromised during attacks, administrators should regenerate all local passwords, security certificates, and encryption keys. The most secure approach involves performing factory resets on upgraded devices, then rebuilding configurations completely using newly created credentials and certificates.
Any organization discovering evidence of intrusion should report these findings to their national cybersecurity authority immediately. Additionally, businesses using Cisco routers and switches designed for small-to-medium business, enterprise, and industrial environments should update their firmware to address numerous vulnerabilities, including one actively exploited in zero-day attacks. Currently, no evidence connects these router attacks with the campaigns targeting ASA devices.
Stay informed about critical security developments by subscribing to breach notification services that deliver immediate alerts about emerging threats, newly discovered vulnerabilities, and significant cybersecurity incidents.
(Source: HelpNet Security)
