China-Linked Hackers Exploit Cisco Firewall Zero-Days

Cisco has issued emergency security updates to address two actively exploited zero-day vulnerabilities within its firewall products. These flaws, connected to the ArcaneDoor espionage campaign, pose a significant threat to government and organizational networks globally. The situation has prompted urgent action from international cybersecurity agencies, underscoring the critical need for immediate patching.

The vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, reside in the VPN web server component of Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The more severe of the two, CVE-2025-20333, carries a CVSS score of 9.9 and allows a remote attacker with valid VPN credentials to execute arbitrary code with root-level privileges. The second flaw, while rated medium severity, can be exploited without any authentication to gain unauthorized access to a restricted URL. Both issues stem from a failure to properly validate user-supplied input in HTTP(S) requests.

Cisco’s investigation began in May 2025 after being called to assist with attacks on government entities. The investigation revealed that threat actors had compromised ASA 5500-X series devices with VPN services enabled. These attackers, associated with the ArcaneDoor campaign, used the zero-days to deploy malware, execute commands, and likely exfiltrate sensitive data from the infected systems. The hackers employed sophisticated techniques to cover their tracks, including disabling system logging, intercepting command-line interface commands, and deliberately crashing devices to hinder forensic analysis.

Evidence strongly suggests the involvement of a China-based hacking group. A particularly concerning aspect of the attack involves the threat actor tampering with the devices’ read-only memory (ROM) to establish persistence that survives reboots and software updates. This was possible because the successfully compromised devices, including discontinued models like the 5512-X and soon-to-be-retired models like the 5525-X, do not support Secure Boot and Trust Anchor security features. Newer models that include these protections have not been observed as compromised.

In response, authorities are urging immediate action. The UK’s National Cyber Security Centre (NCSC) has published a technical analysis of the malware, dubbed RayInitiator and LINE VIPER, and recommends replacing vulnerable, end-of-life ASA 5500-X models as soon as possible. Simultaneously, the US Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, giving federal agencies just one day to apply patches. CISA has also issued an Emergency Directive requiring federal agencies to identify all affected Cisco devices, collect forensic data, and disconnect any that are no longer supported.

Cisco advises all users to install the available updates without delay. The patched software will automatically scan the ROM and remove any persistence mechanisms left by the attackers. Furthermore, organizations should rotate all passwords, certificates, and cryptographic keys after applying the fix. In cases of suspected compromise, every configuration element on the device must be treated as untrusted. Cisco has released a detailed detection guide to assist with hunting for signs of the ArcaneDoor campaign.

In the same security alert, Cisco also addressed a separate high-severity remote code execution vulnerability, CVE-2025-20363. While this flaw has not been observed in active attacks, it highlights the ongoing need for comprehensive network device maintenance.

(Source: Security Week)