Home Innovation Cisco Cisco Warns Customers of Criti...

Cisco Warns Customers of Critical Zero-Day Exploits Targeting ASA Firewalls

Cisco

Business Honor
12 November, 2025

ArcaneDoor attackers exploit vulnerabilities in older ASA 5500-X devices, urging immediate patching

Cisco confirmed that two critical zero-day vulnerabilities tracked as CVE-2025-20333 and CVE-2025-20362 in Cisco ASA 5500-X Series and Secure Firewall devices are being actively exploited by attackers. Such vulnerabilities can be used to facilitate remote access, deploy malware, execute arbitrary code, and, in some cases, cause DoS reboots on unpatched devices.

The attacks, first identified in May 2025, have been attributed to the ArcaneDoor threat actor. Cisco adds that this is an advanced attack method, not new malware. Attackers are leveraging VPN web services on ASA models that are older and do not have either Secure Boot or Trust Anchor protection. Advanced evasion tactics include log disabling, tampering with ROMMON firmware, intercepting commands over the CLI, and intentional crashing of devices, allowing attackers to remain persistent and undetected even after reboots.

According to Cisco, the attack was very sophisticated, and it required the company's engineering and security teams to collectively respond. To secure the affected devices, Cisco recommends that users identify the models and firmware versions, then upgrade to patched versions, or temporarily disable SSL/TLS-based VPN web services. Also, to reset compromised devices to factory defaults and refresh all passwords, certificates and keys.

Importantly, so far, only ASA 5500-X devices, which are older and unsupported, have been confirmed compromised. Newer Secure Boot-enabled Cisco firewalls seem impervious to the attacks, thus reinforcing the need to upgrade hardware as soon as possible. The warning by Cisco becomes a critical reminder for companies to make sure the firewalls are up to date and monitor activity for suspicious behavior. Cisco ASA customers are encouraged to take immediate action as part of good practice to minimize risks against such sophisticated zero-day attacks.