Active Attacks Exploit Cisco ASA Zero-Day Flaws

A coordinated international cybersecurity alert has been issued concerning active attacks exploiting newly discovered zero-day vulnerabilities in Cisco ASA and FTD software. Government agencies from the United States, United Kingdom, Canada, and Australia have confirmed a widespread campaign targeting organizations through these security flaws. Investigators attribute the campaign to a sophisticated threat actor, likely state-sponsored, with ties to the previously documented ArcaneDoor attacks from 2023 and 2024.

Cisco has released three critical security advisories addressing the flaws. Two of the vulnerabilities, CVE-2025-20362 and CVE-2025-20333, are confirmed to have been actively exploited. The first allows unauthenticated attackers to access restricted URL endpoints on the VPN web server. The second, more severe, permits authenticated attackers to execute arbitrary code on vulnerable devices. A third flaw, CVE-2025-20363, which also allows remote code execution, was discovered during the investigation but has not yet been seen in active attacks.

The investigation began in May 2025 after Cisco was contacted by government incident response teams. They were looking into attacks targeting specific Cisco ASA 5500-X Series devices that had VPN web services enabled. The threat actor’s methods show a high level of sophistication, mirroring techniques from the ArcaneDoor campaign. These include disabling logging, intercepting CLI commands, and intentionally crashing devices to hinder forensic analysis.

A particularly concerning discovery involves modifications to the ROMMON, the low-level bootstrap program. This tampering allows malware to persist across device reboots and even software upgrades. These ROMMON modifications have only been observed on older Cisco ASA 5500-X Series models that lack Secure Boot and Trust Anchor technologies, such as the 5512-X through 5585-X. Newer models with these security features, as well as devices running Cisco Secure Firewall Threat Defense (FTD) Software, have not been successfully compromised via these zero-days.

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive. It mandates that federal agencies immediately identify all affected Cisco devices, collect memory files for forensic analysis by a specified deadline, apply available patches, and disconnect any end-of-support hardware.

The UK’s National Cyber Security Centre (NCSC) has provided a detailed analysis of the malware used in the attacks, identifying two primary components. RayInitiator is a persistent multi-stage bootkit designed to survive reboots and firmware updates. LINE VIPER is a sophisticated user-mode shellcode loader capable of executing commands, capturing packets, and evading detection. The NCSC has made detection scripts available and emphasized that this malware represents a significant evolution in sophistication compared to previous campaigns.

Organizations are urged to take immediate action. Applying the security patches released by Cisco is the most critical step. For devices that are nearing or have reached end-of-support, replacement or upgrade is strongly recommended to ensure ongoing protection. Proactive hunting for signs of compromise and reporting any findings to the relevant national cybersecurity authority is also essential to mitigate the impact of these serious threats.

(Source: HelpNet Security)