On September 25, 2025 Cisco disclosed multiple zero-day vulnerabilities tied to its VPN/web services for Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD), plus a related web-services RCE affecting IOS platforms. Two of these CVE-2025-20333 (high-severity buffer-overflow leading to root RCE) and CVE-2025-20362 (missing-authorization allowing access to restricted endpoints) were confirmed exploited in the wild; a third (CVE-2025-20363) was disclosed but not observed exploited. Cisco published advisories and mitigations while attributing the active exploitation to sophisticated actors.

CVE-2025-20333 can give an attacker root remote code execution on ASA/FTD devices (CVSS and real-world impact rated extremely high), and CVE-2025-20362 can be chained to bypass authentication and reach the vulnerable service, together allowing full device takeover without valid admin credentials on internet-exposed VPN/web interfaces. Vendors and researchers warn that these flaws are being used to implant persistent implants and, in some cases, modify device firmware/ROM to survive reboots, which elevates the operational risk to network edges and VPN concentrators.

Cisco links the campaign to a known activity cluster (UAT4356 / Storm-1849) associated with the prior “ArcaneDoor” espionage activity; multiple security teams and CISA observed widespread exploitation and issued an Emergency Directive (ED 25-03) requiring federal organizations to identify and mitigate affected devices immediately. CISA added CVE-2025-20333 and CVE-2025-20362 to its Known Exploited Vulnerabilities catalog and mandated scanning, isolating suspected devices, and urgent patching. Public reporting emphasizes the speed and scale of exploitation and the need to treat internet-facing ASA/FTD devices as high-risk until mitigated.

Apply Cisco’s published patches and firmware updates immediately; if patching is delayed, follow Cisco’s temporary mitigations (remove or restrict access to the VPN/web management interface from the internet and enable least-privilege access). Rotate/force reset all local and privileged credentials, audit recent configuration changes and logs for suspicious admin activity or unexpected reboots, scan for known Indicators of Compromise Cisco/partners published, and consider rebuilds of compromised appliances where firmware persistence is suspected. Finally, treat exposed network-edge devices as priority assets in vulnerability scanning and incident response playbooks going forward.