Headline
CISA Warns of Active Attacks on Cisco ASA and Firepower Flaws
CISA issues an urgent directive for all organizations to patch Cisco ASA and Firepower devices against CVE-2025-20362 and CVE-2025-20333, exploited in the ArcaneDoor campaign. Verify the correct version now!
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a strong warning regarding critical vulnerabilities in Cisco’s Adaptive Security Appliances (ASA) and Firepower devices, which are essential for network security. These systems are, reportedly, being actively targeted by attackers.
****The Two Big Problems****
Two specific flaws, tracked as CVE-2025-20362 and CVE-2025-20333, are the main concern. CVE-2025-20362 allows an attacker to bypass the login requirement and access a restricted area of the device. This then enables the second, more dangerous flaw (CVE-2025-20333), which allows the attacker to run their own malicious code as the ‘root’ user, possibly leading to complete control of the affected device.
Reportedly, these two vulnerabilities are being collectively used by attackers in a campaign called ArcaneDoor to gain full control of the affected systems. Cisco first fixed these problems in September, but the threat from these active exploits continues, posing a risk to data and systems everywhere.
****The Patching Problem****
CISA’s Emergency Directive 25-03 (issued September 25) required immediate fixes. However, many organisations, including federal agencies, mistakenly believed they had updated their devices, with CISA finding that systems marked as ‘patched’ were actually still running vulnerable software.
The biggest issue CISA found is that simply updating wasn’t enough; organisations needed the correct minimum software version. For instance, Cisco ASA Release 9.12 requires version 9.12.4.72, and Release 9.14 requires 9.14.4.28, often accessible via a Special Release Download. CISA stresses that all Cisco ASA and Firepower devices must be updated immediately.
Organisations must update all Cisco ASA and Firepower devices, not just the ones facing the public internet. If devices were updated after September 26, 2025, or are still running vulnerable versions, CISA recommends additional steps to check for and remove any remaining threats.
****New Attacks Emerge****
Adding to the worries, Cisco also warned of a new variant of the attack, which can cause unpatched Cisco devices to suddenly stop working and restart (a denial of service or DoS condition). This new attack was noticed on November 5, 2025, highlighting the urgent need for all customers to immediately install the fixes released by Cisco.
****Expert perspectives****
Gunter Ollmann, CTO at Cobalt, shared exclusively with Hackread.com that the nature of these flaws, which target devices on the edge of a network, is particularly attractive to attackers because they allow the hackers to bypass many inner network defences. Ollmann notes that:
“The challenge is that organisations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”
Wade Ellery, Chief Evangelist at Radiant Logic, also speaking exclusively to Hackread.com, explains that once attackers breach devices like firewalls, their next goal is usually stealing user login information, and perimeter flaws that quickly lead to risks within user identity systems.
“The limitation is that many organisations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience,” Ellery stated.
Related news
Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every
Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every
Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. "This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service
Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. "This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service
New reports show China-based hackers are targeting US federal, state, and global government networks via unpatched Cisco firewalls. Get the full details and necessary steps to secure devices.
Threat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals. The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed
Threat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals. The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed
Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway. From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week’s roundup gives you the biggest security moves to know. Whether you’re protecting key systems or locking down cloud apps, these are the updates you need before making your next security
Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway. From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week’s roundup gives you the biggest security moves to know. Whether you’re protecting key systems or locking down cloud apps, these are the updates you need before making your next security
The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. "The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in
The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. "The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in
Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input
Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input