A critical zero-day vulnerability in certain Cisco Systems firewalls has to be patched immediately, US and UK cyber authorities warned Thursday.
They said exploits of the hole are part of ongoing attacks on these and other network perimeter devices.
The UK’s National Cyber Security Centre (NCSC) called the alert from Cisco a “significant update” on a malicious campaign against perimeter network devices which was exposed last year and dubbed ArcaneDoor. And the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal departments to identify, analyze, and mitigate potential compromises.
The new vulnerability, CVE-2025-20363, is caused by improper validation of user-supplied input in HTTP requests, Cisco said.
An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device, after obtaining additional information about the system, overcoming exploit mitigations, or both.
A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the device.
Affected are devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) software, Cisco Secure Firewall Threat Defense (FTD) software, as well as devices running Cisco IOS, IOS XE and IOS XR software.
Two scenarios
There are two attack scenarios:
an unauthenticated, remote attacker getting into devices running Cisco ASA and FTD software with one or more vulnerable configurations could execute arbitrary code;
an authenticated, remote attacker getting into devices running Cisco IOS, IOS XE or IOS XR with low user privileges could execute arbitrary code on an affected Cisco device. However, note that devices running IOS or IOS XE are only affected if they have the Remote Access SSL VPN feature enabled. Devices running IOS XR are only affected if they are running on Cisco ASR 9001 routers with the HTTP server enabled.
Cisco has released software updates that address this vulnerability, and strongly recommends that customers quickly upgrade to a fixed software release. There are no workarounds that address this issue.
“It is critical for organizations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation,” said Ollie Whitehouse, chief technology officer of the UK cyber center. “We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.”
ASA 5500-X hit with multiple attacks
Cisco ASA 5500-X series models are affected, but Whitehouse noted some will be out of support starting this month. Where practicable, he said, such devices should be replaced or upgraded, because obsolete and end-of-life devices present a significant security risk to organizations.
“Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience,” he said.
In fact, Cisco also said Thursday that it had found new activity specifically targeting the ASA 5500-X series with two new vulnerabilities: CVE-2025-20333, CVE-2025-20362, as well as with CVE-2025-20363.
In a background report outlining its response to attacks, the company said that during its forensic analysis of confirmed compromised devices, it found that sometimes the threat actor modified the ROMMON firmware on Cisco devices. This firmware acts as a low-level bootloader and recovery tool that initializes hardware and loads the main operating system. Altering it allows the threat actor to maintain persistence across reboots and software upgrades.
However, Cisco added, these modifications were seen only on ASA 5500-X Series platforms that were released prior to the development of Secure Boot and Trust Anchor technologies. Cisco has not seen successful compromise, malware implantation, or the existence of a persistence mechanism on platforms that support Secure Boot and Trust Anchors.
Take devices offline until patched: Analyst
A large probing attack against Cisco devices was reported in August, noted Robert Beggs, head of Canadian incident response firm DigitalDefence. At the time, he said, it was suggested that this would be a prelude to a widespread vulnerability exploitation. “In this case, at least, the Cisco vulnerability was expected,” he said. “The detection of wide-scale probing of devices appears to be a reliable predictor of a following attack.”
Because the vulnerabilities at the root of the attack can both be remotely exploited, affected devices should be taken offline until the patch is applied and verified to be in place, Beggs recommended.
It’s telling “and somewhat startling,” he added, that the CISA directive asks US federal agencies to supply memory files for forensic analysis on a “near immediate” timeline for all public-facing Cisco ASA hardware appliances.
Thursday’s warning of critical vulnerabilities in Cisco products follows other recent alerts, he said, pointing out that there have been several other critical vulnerabilities identified in Cisco products this summer. These are good arguments for CSOs to implement a zero trust architecture, he said, especially for monitoring sources for and applying updates on products in accordance with the risk they present to your organization.
No Responses