Skip to content
Contact us

Urgent Mitigation Required for Cisco ASA and FTD Zero-Day Vulnerabilities

Picture of The 1898 & Co. Team

Recent cybersecurity developments have highlighted critical vulnerabilities in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. Two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, have been identified and are actively being exploited in the wild. These vulnerabilities allow attackers to execute arbitrary code and access restricted endpoints, posing a significant threat to affected systems. Cisco has urged immediate patching to mitigate these risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, emphasizing the urgency of addressing these vulnerabilities. The directive mandates federal agencies to identify and mitigate potential compromises within 24 hours. The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, underscoring their critical nature. The exploitation campaign is linked to a threat actor known as UAT4356, which targets network devices to deliver malware.

This situation underscores a broader trend of sophisticated threat actors targeting perimeter network devices. The campaign involves manipulating read-only memory (ROM) to persist through reboots and system upgrades, highlighting the advanced capabilities of the attackers. Organizations using Cisco ASA and FTD software should prioritize patching and review their security posture to prevent unauthorized access and potential data breaches.

Threats and Vulnerabilities

CVE-2025-20333 is a critical vulnerability with a CVSS score of 9.9, allowing authenticated remote attackers with valid VPN credentials to execute arbitrary code as root on affected devices. This vulnerability arises from improper validation of user-supplied input in HTTP(S) requests, enabling attackers to send crafted requests that compromise system integrity.

CVE-2025-20362, with a CVSS score of 6.5, allows unauthenticated remote attackers to access restricted URL endpoints without authentication. This vulnerability also stems from improper input validation in HTTP(S) requests, potentially leading to unauthorized access and data exposure.

The exploitation of these vulnerabilities is part of a campaign by the threat actor UAT4356, also known as Storm-1849. This actor has been linked to the ArcaneDoor threat cluster, which targets perimeter network devices from multiple vendors. The campaign involves exploiting zero-day vulnerabilities for remote code execution and ROM manipulation, posing a significant risk to network security.

Client Impact

Clients using Cisco ASA and FTD software may face operational disruptions due to unauthorized access or code execution on their systems. These vulnerabilities could lead to data breaches, financial losses, and damage to organizational reputation if exploited successfully. The advanced nature of the threat actor involved suggests a high level of sophistication, increasing the potential impact on affected organizations.

From a compliance perspective, failure to address these vulnerabilities could result in regulatory challenges, audits, or penalties. Organizations must ensure they are aligned with relevant cybersecurity standards and directives, such as those issued by CISA, to mitigate potential legal and financial repercussions.

Mitigations

To mitigate the identified risks, clients should take the following actions:

  1. Apply the latest patches provided by Cisco for ASA and FTD software immediately to address the vulnerabilities.
  2. Conduct a thorough review of network configurations and access controls to ensure only authorized users have VPN access.
  3. Implement intrusion detection systems (IDS) to monitor for unusual activity or attempts to exploit these vulnerabilities.
  4. Regularly update security protocols and conduct vulnerability assessments to identify potential weaknesses.
  5. Educate employees about phishing attacks and social engineering tactics that could be used to gain initial access.

By taking these steps, organizations can reduce their exposure to these vulnerabilities and enhance their overall security posture. Continuous monitoring and proactive security measures are essential in defending against sophisticated threat actors targeting network infrastructure.

1898 & Co. Response

1898 & Co. is actively responding to the current threat landscape by offering specialized services to address emerging threats like those affecting Cisco ASA and FTD software. Our team provides tailored vulnerability assessments and patch management solutions to help clients secure their network devices against exploitation.

We are updating our security protocols and practices in line with the latest threat intelligence gathered from industry partners and government agencies. Our collaborative efforts focus on enhancing our clients' defenses against advanced persistent threats targeting network infrastructure.

Ongoing research and threat intelligence activities are central to our approach, ensuring we stay ahead of evolving threats. We provide clients with actionable insights and recommendations based on real-world case studies demonstrating successful mitigations against similar vulnerabilities.

Sources

  1. Cisco Security Advisory on ASA and FTD Vulnerabilities
  2. CISA Emergency Directive ED 25-03
  3. CVE Details for CVE-2025-20333
  4. CVE Details for CVE-2025-20362