Published: 29 September 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
The purpose of this alert is to bring attention to two Critical and one MEDIUM, publicly released vulnerabilities identified as CVE-2025-20333 (Critical), CVE-2025-20363 (Critical) and CVE-2025-20362 (Medium), present in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software.
Two of these vulnerabilities (CVE-2025-20333 and CVE-2025-20362) were exploited as zero-days and are currently being used in an active global campaign targeting Cisco ASA 5500-X Series models running Cisco ASA or FTD software.
Exploitation of CVE-2025-20333 could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
Exploitation of CVE-2025-20363 could allow an unauthenticated, remote attacker or authenticated, remote attacker with low user privileges to execute arbitrary code on an affected device.
Exploitation of CVE-2025-20362 could allow an unauthenticated, remote attacker to access restricted URL endpoints.
Note that CVE-2025-20333 and CVE-2025-20362 specifically affect the VPN web server component of ASA and FTD appliances, meaning they are only exploitable if the VPN web service is enabled. In contrast, CVE-2025-20363 affects broader web services across multiple Cisco platforms and is not limited to the VPN web service.
On 25 September 2025, Cisco released advisories disclosing the three aforementioned vulnerabilities and an advisory notifying of continued global attacks against Cisco appliances which included detailed mitigation advice. Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign reported in April 2024.
On 26 September 2025 the Australian Cyber Security (ACSC) released an advisory noting that Australian organisations are impacted and urging affected organisations to follow Cisco recommendations.
CVE-2025-20333 and CVE-2025-20362 have been added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue.
On 25 September 2025, Cisco issued notifications for the following vulnerabilities:
CVE-2025-20333 A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
CVE-2025-20363 A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device.
CVE-2025-20362 A vulnerability in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.
CVE-2025-20333 and CVE-2025-20362 are tied directly to the VPN web server of Cisco ASA and FTD. Appliances without this service enabled are not exposed to exploitation of these vulnerabilities. Conversely, CVE-2025-20363 targets the broader web services stack (affecting ASA/FTD as well as IOS, IOS XE, and IOS XR), and may present exposure even when VPN web services are disabled.
Organisations should determine the Cisco devices and software releases used and upgrade to a fixed release.
For certain software trains (ASA 9.17, ASA 9.19, FTD 7.1, and FTD 7.3), Cisco has not issued patched versions. Instead, organisations must migrate to a later train (such as ASA 9.20/9.22 or FTD 7.2/7.4) where the vulnerabilities are remediated.
| Cisco ASA Software Release | First Fixed Release for CVE-2025-20333 Critical | First Fixed Release for CVE-2025-20363 Critical | First Fixed Release for CVE-2025-20362 Medium | First Fixed Release for all of These Vulnerabilities |
|---|---|---|---|---|
| 9.16 | 9.16.4.85 | 9.16.4.84 | 9.16.4.85 | 9.16.4.85 |
| 9.17 | 9.17.1.45 | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. |
| 9.18 | 9.18.4.47 | 9.18.4.57 | 9.18.4.67 | 9.18.4.67 |
| 9.19 | 9.19.1.37 | 9.19.1.42 | Migrate to a fixed release. | Migrate to a fixed release. |
| 9.20 | 9.20.3.7 | 9.20.3.16 | 9.20.4.10 | 9.20.4.10 |
| 9.22 | 9.22.1.3 | 9.22.2 | 9.22.2.14 | 9.22.2.14 |
| 9.23 | Not vulnerable. | 9.23.1.3 | 9.23.1.19 | 9.23.1.19 |
The fixed release for Cisco Secure ASA Software Release 9.12 is 9.12.4.72. It is available from the Cisco Software Download Center.
The fixed release for Cisco Secure ASA Software Release 9.14 is 9.14.4.28. It is available from the Cisco Software Download Center.
| Cisco FTD Software Release | First Fixed Release for CVE-2025-20333 Critical | First Fixed Release for CVE-2025-20363 Critical | First Fixed Release for CVE-2025-20362 Medium | First Fixed Release for all of These Vulnerabilities |
|---|---|---|---|---|
| 7.0 | 7.0.8.1 | 7.0.8 | 7.0.8.1 | 7.0.8.1 |
| 7.1 | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. |
| 7.2 | 7.2.9 | 7.2.10 | 7.2.10.2 | 7.2.10.2 |
| 7.3 | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. |
| 7.4 | 7.4.2.4 | 7.4.2.3 | 7.4.2.4 | 7.4.2.4 |
| 7.6 | 7.6.1 | 7.6.1 | 7.6.2.1 | 7.6.2.1 |
| 7.7 | Not vulnerable. | 7.7.10 | 7.7.10.1 | 7.7.10.1 |
If upgrading is not immediately feasible, the risk can be temporarily mitigated by disabling all SSL/TLS-based VPN web services. This includes disabling IKEv2 client services that facilitate the update of client endpoint software and profiles as well as disabling all SSL VPN services.
Disable IKEv2 Client Services
Disable IKEv2 client services by repeating the crypto ikev2 enable <interface_name> command in global configuration mode for every interface on which IKEv2 client services are enabled, as shown in the following example:
firewall# show running-config crypto ikev2 | include client-services
crypto ikev2 enable outside client-services port 443
firewall# conf t
firewall(config)# crypto ikev2 enable outside
INFO: Client services disabled
firewall(config)#
Note: Disabling IKEv2 client-services will prevent VPN clients from receiving VPN client software and profile updates from the device, but IKEv2 IPsec VPN functionality will be retained otherwise.
Disable all SSL VPN Services
To disable all SSL VPN services, run the no webvpn command in global configuration mode, as shown in the following example:
firewall# conf t
firewall(config)# no webvpn
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
firewall(config)#
Note: All remote access SSL VPN features will cease to function after running this command.
Cisco advises that if an appliance is suspected or confirmed compromised, all configurations should be treated as untrusted. After upgrading to a fixed release, administrators should reset the device to factory defaults and reconfigure it with new passwords, certificates, and keys. This can be done with the configure factory-default command in global configuration mode, or, if unsupported, by using write erase followed by reload. For further analysis if potentially malicious activity is identified, open a Cisco Technical Assistance Center (TAC) case.
Managed Detection and Response (MDR) platforms can monitor an environment for suspicious activity relating to the exploitation of this vulnerability. However, as these assets are appliances, they cannot run the Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) agent, which reduces overall visibility on the platform.
Please ensure that these devices are sending syslog to a SIEM so that malicious indicators can be identified.
Cisco has provided the following detection guidance:
Syslog Changes
The following syslog IDs have been observed to be suppressed by this threat actor as a forensic countermeasure. This occurs in-memory and will not be visible in the running-config.
A reduction or absence of these log messages can indicate potential malicious activity within the network. Reviewing historical occurrences of the relevant syslog IDs may also reveal signs of past compromise. In either case, full forensic collection is recommended.
Checkheaps Manipulation
The threat actor has been observed to disable the checkheaps function. By default, checkheaps will run once every 60 seconds. Issuing the command show checkheaps will produce the following output:
firewall# show checkheaps
Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run : 28 secs
Duration of last run : 0 millisecs
Number of buffers created : 106
Number of buffers allocated : 103
Number of buffers free : 3
Total memory in use : 110620 bytes
Total memory in free buffers : 124 bytes
Total number of runs : 6352
firewall#
Run this command once per minute for five minutes. The Total number of runs counter should increase during this period. If it does not, this may indicate a compromise, and full forensic collection is recommended.
Impossible Travel
The threat actor has been observed using stolen credentials to establish authenticated VPN sessions. All observed connections originated from within the continental United States but spanned widely separated geographic locations, sometimes thousands of miles apart. Administrators should scrutinize even valid-looking VPN connections by profiling source IPs for signs of “impossible travel", which may indicate malicious activity. Impossible travel occurs when the same user account connects from two different locations within a time frame shorter than what would be feasible by conventional air travel.
Bootloader and/or ROMMON Verification Failure
Customers upgrading Cisco ASA 5512-X, 5515-X, 5525-X, 5545-X, or 5555-X devices to ASA Software Release 9.12.4.72 or 9.14.4.28 should check disk0: for the presence of a file named firmware_update.log. If this file exists, it may indicate the device was compromised prior to the upgrade. In such cases, customers should open a case with Cisco TAC and provide both the show tech-support output and the contents of the firmware_update.log file.
Administrators should also monitor console output during the first boot after the upgrade. The following sequence of messages indicates that no persistence mechanism was detected (message IDs may vary):
.
.
.
Message #113 : Verifying bootloader: Message #114 : .Message #115 : .Message #116 : .Message #117 :
Bootloader verification succeeded.
Message #118 : Verifying ROMMON: Message #119 : .Message #120 :
.Message #121 :
.Message #122 : .Message #123 :
ROMMON verification succeeded.
.
.
.
If instead the messages begin with “Bootloader verification failed at address” or “ROMMON verification failed at address” this indicates that the persistence mechanism was present on the device. In such cases, the system will write or update the firmware_update.log file and then automatically reboot into a clean image. However, the presence of these failure messages means the device was previously compromised, and it must be treated as untrusted. Customers should immediately open a case with Cisco TAC and perform full forensic investigation and remediation.
Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOC) and Tactics, Techniques and Procedures (TTP).
