**Attackers Exploit Two Zero-Days in Cisco ASA Firewalls for Remote Access and Persistence**
Cisco has issued a warning to customers following the discovery of an ongoing attack campaign targeting companies using some of its services. The attacks exploit two critical zero-day vulnerabilities affecting Cisco ASA 5500-X Series and Secure Firewall devices.
—
### Details of the Attack
The vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, allow threat actors to gain remote access, execute arbitrary code, deploy malware, and in some cases, cause Denial of Service (DoS) reboots on unpatched devices.
Cisco revealed that these attacks began in May 2025. The company clarified that the “new variant” observed is not a completely new malware but rather an evolved attack technique linked to the ArcaneDoor threat actor from 2024.
—
### Advanced Evasion Techniques
The attackers target VPN web services found on older ASA models that lack Secure Boot and Trust Anchor protections. To maintain persistence—even after device reboots—they disable logging and tamper with the device’s ROMMON firmware.
Cisco highlighted the use of sophisticated evasion tactics to stay undetected and impede forensic investigations, including:
– Disabling logging mechanisms
– Intercepting Command Line Interface (CLI) commands
– Intentionally crashing devices to prevent diagnostic analysis
These complex tactics required a coordinated, multi-disciplinary response from Cisco’s engineering and security teams.
—
### Mitigation and Recommendations
To protect your network, Cisco advises the following steps:
– Identify if your devices are affected and verify the firmware version.
– Check whether VPN web services are enabled on your ASA devices.
– Upgrade to the latest patched firmware versions immediately.
– As a temporary mitigation, disable SSL/TLS-based VPN web services if an upgrade is not possible right away.
– For compromised devices, perform a full factory reset before refreshing all passwords, certificates, and cryptographic keys.
—
### Important Notes
Only older, **unsupported ASA 5500-X devices** have been confirmed as compromised. Newer firewalls equipped with **Secure Boot** features appear to be resistant to these attacks.
Cisco strongly urges all customers to upgrade to Secure Boot-enabled firewall models to enhance security and minimize risk.
—
Stay informed on the latest cybersecurity updates — **make sure to click the Follow button!**
https://www.techradar.com/pro/security/cisco-firewalls-are-facing-another-huge-surge-of-attacks
