[German]The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to US authorities. Cisco ASA (Adaptive Security Appliance) is under active attack via zero-day vulnerabilities in its web services. US authorities must respond immediately to the vulnerabilities and take countermeasures.
Advertising
The CISA warning can be found in the following tweet and in this CISA directive for US government agencies.
CISA is aware of an ongoing exploit campaign by a sophisticated attacker targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves the exploitation of zero-day vulnerabilities to achieve unauthenticated remote code execution on ASAs. In addition, it manipulates read-only memory (ROM) to persist even after a reboot and system upgrade.
This activity by the attackers poses a significant risk to the victims' networks. Cisco believes that this campaign is related to the ArcaneDoor activity identified in early 2024 and that this attacker has been able to successfully modify the ASA ROM since at least 2024.
These zero-day vulnerabilities in the Cisco ASA platform are also present in certain versions of Cisco Firepower. Secure Boot on Firepower appliances would detect the identified manipulation of the ROM. The CISA has identified the following vulnerabilities:
Advertising
- CVE-2025-20333: A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software could allow an authenticated attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending manipulated HTTP requests to an affected device. A successful attack could allow the attacker to execute arbitrary code as root, which could potentially lead to complete compromise of the affected device.
- CVE-2025-20362: A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software could allow an unauthenticated remote attacker to access restricted URL endpoints that are normally inaccessible without authentication. This vulnerability is due to improper validation of user input in HTTP(S) requests. An attacker could exploit this vulnerability by sending manipulated HTTP requests to a specific web server on a device. A successful attack could allow the attacker to access a restricted URL without authentication.
The CISA stipulates that these vulnerabilities must be remedied immediately by taking the measures described in this directive. Bleeping Computer has compiled some additional information here.
Advertising
