Cisco vulnerability advisory: CVE-2025-20333 & CVE-2025-20362
Date: 26 September 2025
Ultima Business Solutions is issuing this advisory in response to the recent disclosure by Cisco of critical vulnerabilities affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) software, which have been actively exploited in the wild.
These vulnerabilities are tracked as:
CVE-2025-20333 – A critical remote code execution vulnerability (CVSS 9.9) allowing authenticated attackers to execute arbitrary code as root via crafted HTTPS requests.
CVE-2025-20362 – A medium-severity flaw (CVSS 6.5) enabling unauthenticated access to restricted URLs due to improper input validation.
These vulnerabilities are being exploited as part of a sophisticated campaign linked to the ArcaneDoor threat actor, targeting perimeter network devices. Cisco has confirmed that attackers have used advanced evasion techniques including disabling logging, intercepting CLI commands, and modifying ROMMON firmware to maintain persistence across reboots and upgrades.
Affected Devices
The vulnerabilities impact:
- Cisco ASA 5500-X Series devices running ASA Software with VPN web services enabled.
- Cisco Secure Firewall ASA and FTD platforms with SSL VPN or AnyConnect configurations.
- Devices lacking Secure Boot and Trust Anchor technologies are particularly vulnerable to persistent compromise
Recommended Remediation Steps
Ultima strongly advises all customers to take the following immediate actions:
- Upgrade to Fixed Software Releases
- Cisco has released patched versions of ASA and FTD software. There are no workarounds; upgrading is the only viable mitigation.
- Identify and Inventory All Cisco ASA and Firepower Devices
- Determine if any devices are running vulnerable configurations, especially those nearing end-of-support.
- Disconnect End-of-Life Devices
- ASA models such as 5512-X, 5515-X, and 5585-X have been compromised and are discontinued. Models like 5525-X, 5545-X, and 5555-X will be discontinued by 30 September 2025 and should be retired.
- Conduct Forensic Analysis.
- Review logs for suppressed syslog IDs (e.g., 302013, 302014, 609002, 710005) and perform memory/core dump analysis to detect persistence mechanisms.
- Rotate Credentials
- Change all passwords, certificates, and keys post-upgrade to eliminate potential attacker footholds.
- Review VPN Exposure
- Reassess remote access configurations and exposure of VPN interfaces to the internet.
- Monitor for Indicators of Compromise (IoCs)
- Use Cisco’s Detection Guide and CISA’s Emergency Directive ED 25-03 for detailed forensic and mitigation steps.
Ultima’s Support
Ultima’s Cyber & Networking team is actively assisting clients in:
- Assessing exposure and risk
- Coordinating patch deployments.
- Conducting forensic investigations
- Planning secure hardware upgrades where necessary.
If you suspect compromise or require assistance, please contact your Ultima account manager or our cybersecurity team immediately.