Cisco has issued an urgent security advisory, urging customers to patch two critical zero-day vulnerabilities affecting the VPN web server components of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. These flaws are actively exploited in the wild, posing a severe risk to organizations relying on these perimeter security devices.

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive 25-03, instructing federal agencies to immediately identify, analyze, and mitigate any compromises stemming from these vulnerabilities.

Vulnerability Details

The two zero-day vulnerabilities are:

• CVE-2025-20333 (CVSS 9.9): Improper validation of user-supplied input in HTTP(S) requests that allows an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on the affected device by sending crafted HTTP requests.
• CVE-2025-20362 (CVSS 6.5): Improper validation of user-supplied input in HTTP(S) requests that allows an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests.

Root Cause

Both vulnerabilities originate from improper validation of user-supplied input in HTTP(S) requests. This insufficient validation enables attackers to inject malicious code or gain unauthorized access by sending carefully crafted HTTP requests.

Impact & Exploit Potential

• CVE-2025-20333: An attacker with valid VPN credentials can execute arbitrary code as root, gaining full control of the affected device.
• CVE-2025-20362: An unauthenticated attacker can access restricted URL endpoints, potentially exposing sensitive information or enabling further unauthorized actions.

It is suspected these vulnerabilities are being chained together to bypass authentication and execute malicious code on vulnerable appliances.

Affected Products

• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
• Cisco Secure Firewall Threat Defense (FTD) Software

Tactics, Techniques, and Procedures (TTPs)

• TA0001 – Initial Access: Exploiting public-facing applications to gain initial access.
• TA0005 – Execution: Executing commands and scripts for malicious actions.
• TA0003 – Persistence: Manipulating read-only memory (ROM) to persist through reboots and upgrades.
• TA0004 – Defense Evasion: Using valid accounts to blend in with normal traffic and bypass security.
• T1190 – Exploit Public-Facing Application: Targeting publicly accessible application vulnerabilities.
• T1059 – Command and Scripting Interpreter: Utilizing command-line interfaces for malicious activity.
• T1542 – Pre-OS Boot: Modifying ROM to maintain persistence.
• T1078 – Valid Accounts: Using compromised credentials for unauthorized access.

The threat actor UAT4356 (aka Storm-1849) has demonstrated the ability to modify ASA ROM since 2024. This campaign is linked to the Arcane Door threat cluster, which targets perimeter network devices and deploys malware families such as Line Runner and Line Dancer.

Mitigation & Recommendations

• Apply patches as soon as they are released by Cisco.
• Federal agencies must comply with CISA’s emergency directive (ED 25-03) to identify, analyze, and mitigate compromises within 24 hours.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.