Cisco has issued an emergency warning and patches following the active exploitation of two critical zero-day vulnerabilities in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. The attacks are linked to a sophisticated, likely nation-state espionage campaign dubbed “ArcaneDoor.”
The continued campaign is focused on compromising network security devices to achieve deep persistence, exfiltrate data, and evade detection, primarily targeting older, unsupported hardware. This represents one of the most serious supply chain threats to network perimeter defenses this year.
The Vulnerabilities and Affected Systems
The two security flaws leveraged by the ArcaneDoor attackers are tracked as:
- CVE-2025-20333 (CVSS Score 9.9 – Critical): A highly severe bug in the VPN web server that allows a remote attacker, once they possess valid VPN user credentials, to execute arbitrary code with root privileges, leading to a complete compromise of the device.
- CVE-2025-20362 (CVSS Score 6.5 – Medium): This flaw allows an unauthenticated remote attacker to access restricted URLs by sending crafted HTTP(S) requests, potentially leading to unauthorized information access.
The primary targets of successful compromise were Cisco ASA 5500-X series devices (including models 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X) that lack critical security features like Secure Boot and Trust Anchor. Many of these compromised models are either already discontinued or scheduled for end-of-life, making them more susceptible to these advanced attacks.
ArcaneDoor’s Advanced Evasion Techniques
The threat actor demonstrates extreme operational security and sophistication, specifically tailoring their attacks to exploit the hardware limitations of older ASA devices. Their goal is complete control (root privileges) to deploy malware like RayInitiator and LINE VIPER and remain hidden.
Advanced techniques observed include:
- ROMMON Tampering for Persistence: Attackers modify the ROMMON (Read-Only Memory Monitor)—the device’s firmware bootloader—to ensure their malicious code survives device reboots and even software updates.
- Disabling Forensics: Attackers intentionally disable logging and intercept CLI commands to blind administrators and security tools from observing their activity.
- Crash-on-Exit: Devices were intentionally crashed to prevent deep diagnostic analysis when incident responders began to investigate, effectively wiping volatile memory and covering their tracks.
Attacker Sophistication: The Threat Actor’s Playbook
Security analysts have noted the ArcaneDoor actors employed advanced, evasive techniques designed to maintain persistence and obstruct forensic investigation. The goal of the attacks was to deploy malware (identified as RayInitiator and LINE VIPER), run commands, and exfiltrate sensitive data.
Key techniques observed include:
Deep Persistence: The attackers tampered with the device’s Read-Only Memory (ROM) to ensure their malware and modifications survived device reboots and software updates—a technique only possible on devices lacking modern Secure Boot functionality.
Evasion of Logging: They intentionally disabled logging functions, making it exceptionally difficult for network defenders to trace their activities or determine the scope of the breach.
Obfuscation: The threat actors were observed intercepting command-line interface (CLI) commands to hide their actions from administrators performing real-time monitoring.
Covering Tracks: They deliberately crashed compromised devices as a final step to prevent effective diagnostic analysis by incident responders.
Urgent Call to Action for Network Defenders
Given the critical nature and active exploitation of these vulnerabilities, government agencies globally, including the US Cybersecurity and Infrastructure Security Agency (CISA), have issued mandatory directives. CISA has added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent remediation.
Cisco and other security bodies recommend the following immediate actions:
- Apply Patches Immediately: Organizations must update the affected ASA and FTD software to the fixed releases. The patch is designed to automatically check and clean up any attacker modifications to the device ROM.
- Replace End-of-Life Devices: Vulnerable ASA 5500-X series models that are discontinued or near end-of-life should be replaced immediately with models that support modern hardware security features like Secure Boot.
- Assume Compromise: All configuration elements, passwords, certificates, and keys on suspected or confirmed compromised Cisco firewall devices must be treated as untrusted and rotated immediately after patching.
- Forensic Hunting: Organizations should use the detection guides released by Cisco to hunt for indicators of compromise associated with the ArcaneDoor campaign.
