Old Vulnerabilities In Cisco Secure ASA Software And Cisco Secure FTD Software Still Being Exploited

The attacks, which have been ongoing since May 2025, have recently resulted in a new, critical variant that requires immediate action from customers to avoid serious disruptions.

On November 5, 2025, Cisco released an update announcing its awareness of a new attack variant. This variant targets unpatched devices and exploits vulnerabilities (designated CVE-2025-20333 and CVE-2025-20362) to cause a Denial of Service (DoS) condition. This results in an unexpected restart of firewall devices, potentially leading to a temporary network security outage.

Cisco urges all affected customers to immediately upgrade to the corrected software versions to eliminate the risk of DoS attacks.

Cisco describes the attack campaign as highly sophisticated. Initial observations in May 2025 involved compromises of certain ASA 5500-X Series devices with enabled VPN web services. The attackers’ goal was to install malware, execute commands, and potentially steal data.

Cisco notes that the attackers exploited multiple zero-day vulnerabilities (as yet unknown security flaws). They also used advanced evasion techniques, such as disabling logging and deliberately crashing devices to hinder forensic investigations.

The company estimates with high confidence that these recent activities are related to the same threat actor previously responsible for the infamous ArcaneDoor attack campaign in 2024.

A particularly concerning finding is that the attackers modified the firmware, specifically the ROMMON, on some compromised devices. This modification allowed the attackers to remain persistent within the network, even after a device reboot or software update.

This method of ensuring persistence has only been observed on older models of the Cisco ASA 5500-X Series, which lack modern security mechanisms like Secure Boot . Cisco has found no evidence of successful compromises or persistence on newer platforms that do feature these technologies.

Customers are strongly advised to follow Cisco’s guidance to determine their exposure and apply the recommended security updates as soon as possible.