Multiple Cisco zero-day vulnerabilities trigger "urgent" mass patching, CISA warns

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of three previously unknown CISCO vulnerabilities being exploited in the wild, releasing an emergency directive on Thursday to patch affected devices in the next 24 hours.

CISA said the “advanced threat actor” behind the widespread campaign is exploiting several zero-day vulnerabilities in CISCO security devices, presenting “a significant risk to victim networks.”

The flaws could lead to unauthenticated remote code execution on CISCO Adaptive Security Appliances (ASA), as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade, the CISA advisory states.

CISA identified two of the critical vulnerabilities as already being exploited in the wild: CVE-2025-20333 (CVSS score 9.9), which allows for remote code execution, and CVE-2025-20362 (CVSS score 6.5), which allows for privilege escalation.

Another bug, CVE-2025-20363 (CVSS score 9.0), was identified on Cisco’s website, also on Thursday. Additionally, it is considered to be at high risk for remote code execution, although no instances have been reported yet.

🚨 Cyber threat actors are exploiting newly identified zero-day vulnerabilities in Cisco Adaptive Security Appliances via web services, posing significant risk. Federal agencies must act immediately and follow the guidance in Emergency Directive 25-03. 🔗 https://t.co/4DMWopRPtr pic.twitter.com/HR1dO05Br5

undefined CISA Cyber (@CISACyber) September 25, 2025

Used in federal government systems, Cisco ASAs are described as “multi-purpose security devices” that provide “firewall, antivirus, intrusion protection, and VPN capabilities,” reported tech writer Ross Heintzkill.

This has prompted CISA to direct all federal agencies to inventory all Cisco ASA and Firepower hardware devices, scan for compromise, disconnect end-of-support devices, and immediately patch any devices to remain in service – all within the next 24 hours to harden systems.

Hallmarks of the ArcaneDoor espionage campaign

Cisco has attributed the advanced persistent threat (APT) to an active campaign, dubbed ArcaneDoor, first discovered by its Talos threat intelligence arm back in April 2024.

“We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024,” Talos researchers said in an update to the original advisory.

The conversation on this topic is live. Join in the discussion.

The threat actors behind the capain, referred to as UAT4356 or Storm 1849, were also described as having an “in-depth knowledge of the (Cisco) devices that they targeted.”

Two back doors, "Line Runner” and “Line Dancer,” were deployed by UAT4356 in 2024 and used to carry out nefarious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.”

Talos noted that, overall, state-sponsored actors often target perimeter network devices, calling them “the perfect intrusion point for espionage-focused campaigns.” Witnessing a dramatic increase in these attacks since 2022, Talos says UAT4356 has been known for targeting organizations in the telecommunications and energy sectors.

“Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic, and monitor network communications,” it said.

The security company reminds organizations that, besides practicing robust patching of their devices and always using the latest versions of its hardware and software, security teams must also closely monitor the appliances for malicious activity.

The Cisco advisory states there are currently no workarounds to fix the vulnerabilities, and strongly recommends that customers upgrade to one of the fixed software releases and follow the guidance found in the security advisories..

Affected equipment that should be updated includes all Cisco ASA platforms, including ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300), plus all Cisco Firepower Threat Defense (FTD) appliances.