News

Cisco firewalls hit by fresh attack wave using two zero days, Cisco urges upgrades and full resets

Cisco has warned of a renewed campaign targeting Adaptive Security Appliance and Secure Firewall devices, with attackers updating techniques to exploit two previously undisclosed zero day flaws and maintain stealthy persistence on older hardware.

In an event response update, Cisco said it has observed a new attack variant since early November that abuses CVE 2025 20333 and CVE 2025 20362 against ASA 5500 X Series and Secure Firewall devices with VPN web services exposed. The company linked the activity to the same adversary behind the ArcaneDoor campaign reported in 2024 and assessed that older models lacking Secure Boot and Trust Anchor protections are the primary victims.

The operation began in May 2025 and has evolved to prioritise evasion. Cisco reports that intruders disable logging, intercept CLI commands, tamper with ROMMON firmware for persistence, and in some cases trigger repeated reboots that can disrupt networks. Recent activity also includes denial of service style reboot loops that abuse the same flaws.

Cisco’s guidance is immediate and prescriptive. Identify affected models and software, confirm whether SSL or TLS VPN web services are enabled, apply fixed ASA or FTD releases, or temporarily disable the VPN web interface if patching cannot be completed. For devices suspected of compromise, perform a factory reset, then rotate all passwords, certificates, and keys. Cisco emphasises that platforms with Secure Boot and Trust Anchors have not shown successful compromise or ROMMON modification in this campaign, and urges customers to upgrade off end of support ASA 5500 X hardware.

Security teams should expect iterative changes as patches roll out and attacker tradecraft adapts.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *