Cisco Systems has recently disclosed notable zero-day vulnerabilities affecting its Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software, with significant implications for network security. The vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, were found to be actively exploited by a sophisticated threat actor related to the ArcaneDoor campaign, prompting immediate attention from cybersecurity professionals.
"On September 25, Cisco published advisories regarding three zero-day vulnerabilities and a supplemental post," noted the Tenable Research Special Operations (RSO) team, which has taken it upon themselves to answer frequent queries concerning these threats.
"On September 25, Cisco published advisories regarding three zero-day vulnerabilities and a supplemental post,"
The critical vulnerabilities detailed by Cisco are summarized as follows: CVE-2025-20333, which allows for remote code execution, carries a CVSS score of 9.9, while CVE-2025-20362, which enables unauthorized access, has a CVSS score of 6.5. Notably, both of these vulnerabilities have been exploited in the wild. Of the three vulnerabilities disclosed, the third, CVE-2025-20363, while also a serious concern, has not yet been observed as being actively exploited.
"Yes, according to Cisco, CVE-2025-20333 and CVE-2025-20362 were exploited in the wild as zero-days," explained an analyst from Cisco. The combination of these vulnerabilities can allow malicious actors to seize control of vulnerable devices, making the situation particularly alarming.
"Yes, according to Cisco, CVE-2025-20333 and CVE-2025-20362 were exploited in the wild as zero-days,"
The threat actor identified as UAT4356, also known as Storm-1849, is explicitly associated with the exploitation of these vulnerabilities. This group has a history of leveraging vulnerabilities for cyberattack campaigns, including the April 2024 ArcaneDoor campaign. According to Cisco's reports, the ArcaneDoor campaign was characterized by targeted and sophisticated attacks.
"The malicious activity associated with CVE-2025-20333 and CVE-2025-20362 is linked to UAT4356," the analyst confirmed. The group's activity appears to be a continuation of their previous exploits, which have made waves in the cybersecurity community. Previous vulnerabilities exploited by UAT4356 include CVE-2024-20353 and CVE-2024-20359, both of which were part of earlier malicious campaigns.
"The malicious activity associated with CVE-2025-20333 and CVE-2025-20362 is linked to UAT4356,"
The ramifications of these vulnerabilities extend beyond immediate threats to network integrity; they may act as a vector for more complex malware attacks. The National Cyber Security Centre (NCSC) recently published an alert regarding associated malware utilized during these attacks. This included multi-stage bootkits referred to as RayInitiator, which have raised concerns about capable evasion tactics employed by threat actors.
"The first malware identified, RayInitiator, is part of a multi-stage bootkit malware family, indicating the elevated sophistication of the associated attacks," stated the NCSC. Such insights reflect the evolving nature of cyber threats targeting infrastructure, especially as cybercriminals hone their tactics through a growing arsenal of vulnerabilities.
"The first malware identified, RayInitiator, is part of a multi-stage bootkit malware family, indicating the elevated sophistication of the associated attacks,"
The urgency surrounding these zero-days cannot be understated. Organizations using affected Cisco products are strongly advised to apply patches and seek ways to mitigate risk stemming from these vulnerabilities. As cyber threats continue to grow in complexity and scale, maintaining vigilance and proactive security measures is paramount for the integrity of networks.
In conclusion, the discovery and exploitation of zero-day vulnerabilities like CVE-2025-20333 and CVE-2025-20362 serve as a reminder of the imperative for organizations to stay abreast of potential threats within their systems. The ability of threat actors to exploit such vulnerabilities emphasizes the necessary evolution of defensive cybersecurity strategies to guard against such attacks. The cybersecurity landscape may continue to evolve, and as it does, companies must remain vigilant and resilient in the face of these persistent threats.
