- Attackers exploit two zero-days in Cisco ASA firewalls for remote access and persistence
- Campaign uses stealth tactics like log disabling and firmware tampering to evade detection
- Cisco urges upgrades to Secure Boot-enabled models and full resets of compromised devices
Cisco is warning customers of an ongoing campaign against companies using some of its services, having become aware of a “new attack variant” recently.
In a new report, the company said it observed an ongoing campaign targeting Cisco ASA 5500-X Series and Secure Firewall devices. The attackers are exploiting two critical zero-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which could allow them to gain remote access, execute arbitrary code, deploy malware, and sometimes even cause Denial of Service (DoS) reboots on unpatched devices.
The attacks started in May 2025, Cisco explained, and stressed the “new variant” is not a distinct piece of malware, but rather an updated attack technique – essentially, an evolved version of the same activity linked to the ArcaneDoor threat actor from 2024.
Advanced evasion techniques
In these attacks, the threat actors are exploiting VPN web services on older ASA models that lack Secure Boot and Trust Anchor protection, disabling logs and tampering with ROMMON firmware to maintain persistence, even after reboots.
To remain hidden and hinder any forensic investigation, the threat actors used stealth and advanced evasion techniques, Cisco added:
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” Cisco said.
“The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams.”
To mitigate the threat, Cisco advises users to identify affected models and firmware, check if VPN web services are enabled, upgrade to patched versions, or disable SSL/TSL-based VPN web services as a temporary measure, and then reset compromised devices to factory defaults before refreshing passwords, certificates, and keys.
Only older, unsupported ASA 5500-X devices have been confirmed compromised, while newer Secure Boot-enabled firewalls appear resistant, Cisco stressed, urging all customers to upgrade.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
