Zubair Ali

Just another Technology Blog

Cisco

Cisco ASA & FTD Zero-Day Vulnerabilities (CVE-2025-20333, CVE-2025-20362): Exploited in Active Attacks

By Zubair Ali #Cisco ASA zero-day 2025, #Cisco FTD vulnerabilities CVE-2025-20333 CVE-2025-20362, #Cisco VPN RCE exploit, #How to patch Cisco ASA zero-days, #UAT4356 STORM-1849 attacks

Cisco ASA & FTD Zero-Day Vulnerabilities (CVE-2025-20333, CVE-2025-20362): Exploited in Active Attacks

Cisco has confirmed two zero-day vulnerabilitiesCVE-2025-20333 and CVE-2025-20362 — impacting ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense) devices. Both flaws are already being exploited in real-world attacks by an advanced persistent threat group known as UAT4356 (STORM-1849).

If you manage Cisco perimeter firewalls or VPN devices, patching and incident response should be your top priority.

What Are CVE-2025-20333 and CVE-2025-20362?

  • CVE-2025-20333 (Critical, RCE)
    A remote code execution flaw in the VPN Web Server module of Cisco ASA/FTD. Exploitation allows attackers to run arbitrary code with system privileges.
  • CVE-2025-20362 (High, Unauthorized Access)
    An authentication bypass bug in the VPN Web Server, allowing attackers to gain unauthorized access.
  • CVE-2025-20363 (Critical, RCE – not exploited yet)
    A related web services vulnerability affecting multiple Cisco platforms.

⚠️ Why it matters: CVE-20333 and CVE-20362 can be chained together, giving attackers full control of vulnerable devices.

Who Is Behind the Exploits?

Cisco attributes the campaign to UAT4356 / STORM-1849, the same group behind the ArcaneDoor espionage campaign (2024).

Malware tools observed in these attacks include:

  • RayInitiator → A stealth bootkit providing persistent access.
  • LINE VIPER → A shellcode loader supporting HTTPS/ICMP communication channels.

The UK’s NCSC has also issued technical alerts with Indicators of Compromise (IoCs).

Affected Cisco Products

  • ASA Software (all major versions prior to patched releases)
  • Firepower Threat Defense (FTD) appliances with public-facing VPN enabled

If your devices host AnyConnect or SSL VPN portals, they are at the highest risk.

Mitigation & Patch Guidance

Cisco has released patched versions — admins should:

  1. Upgrade immediately to the recommended ASA/FTD releases.
  2. Restrict public exposure of the VPN web interface where possible.
  3. Implement access controls (ACLs, IP restrictions, geo-blocking).
  4. Scan networks with updated plugins (e.g. Tenable, Nessus) to identify vulnerable systems.
  5. Check for persistence — patching alone does not remove implants. Conduct forensic reviews.

By Zubair Ali

Related Post

Cisco Cisco Switch

How to Configure a Packet Capture Session on a Cisco Switch

Zubair Ali
Cisco Cisco ISE

Troubleshooting SNMP Alerts Issue After Installing Patch 8 on Cisco Identity Services Engine (ISE) 3.1

Zubair Ali
Cisco Cisco ISE

A Step-by-Step Guide to Upgrading Cisco ISE from 2.7 to 3.2

Zubair Ali

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Cisco

Cisco ASA & FTD Zero-Day Vulnerabilities (CVE-2025-20333, CVE-2025-20362): Exploited in Active Attacks

Monitoring PRTG

How to Create Custom Maps in PRTG for Better Monitoring (Step-by-Step Guide)

Cisco Cisco Switch

How to Configure a Packet Capture Session on a Cisco Switch

Cisco Cisco ISE

Troubleshooting SNMP Alerts Issue After Installing Patch 8 on Cisco Identity Services Engine (ISE) 3.1