Ethical Hacking News
Critical Cisco firewall vulnerabilities have been discovered, with attackers exploiting them to gain control of devices. Governments and organizations are urged to patch the flaws as soon as possible to avoid further compromise.
Cisco has identified critical firewall vulnerabilities being actively exploited by a sophisticated threat actor. The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive warning of an "unacceptable risk" to government systems if devices are left unpatched. The UK's National Cyber Security Centre has urged organizations to patch the vulnerabilities, which could implant malware, execute commands, and potentially exfiltrate data from compromised devices. Cisco released patches for the flaws, warning that they could be chained together to allow remote control of devices. The attack is believed to be linked to the ArcaneDoor campaign, a highly targeted threat group with custom implants and persistence mechanisms.
Cisco has sounded the alarm on critical firewall vulnerabilities that are being actively exploited by a sophisticated threat actor, leaving governments and organizations around the world scrambling to patch the flaws before they are further compromised.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on Thursday, warning of an "unacceptable risk" to government systems if Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices are left unpatched. The agency has given federal agencies just 24 hours to identify affected kit, check logs for compromise, and apply Cisco's fixes.
The UK's National Cyber Security Centre has also urged organizations to patch the vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which are being abused to "implant malware, execute commands, and potentially exfiltrate data from compromised devices."
Cisco released patches for the flaws on Thursday, and warned that when chained together, they could let attackers remotely take complete control of devices. The networking giant has also admitted that it knew these flaws were being exploited as far back as May, when government incident responders called it in to help investigate intrusions on ASA 5500-X firewalls.
Attackers were already dropping implants, running commands, and siphoning data – a detail that makes the months-long delay in raising the wider alarm all the more uncomfortable. Cisco assesses with "high confidence" that this wave of exploitation is tied to the ArcaneDoor campaign it reported last year. The company described the activity as "highly targeted," involving custom implants and persistence mechanisms designed to maintain long-term access.
Zero-day deja vu as another Cisco IOS bug comes under attack
US puts $10M bounty on three Russians accused of attacking critical infrastructure
FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure
Cisco's Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole
ArcaneDoor first came to light in April 2024, when Cisco patched two zero-day flaws in ASA and FTD firewalls that had already been exploited to break into government and telecom networks. Cisco pinned the activity on a threat crew it dubbed UAT4356, which had been abusing the bugs to compromise government systems worldwide since November 2023.
"This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted," the company said, adding that the threat group has the "hallmarks of a sophisticated state-sponsored actor."
Security researchers reckon the fingerprints look familiar. By investigating the attacker-controlled IP addresses flagged by Cisco Talos and cross-checking them against certificate data, Censys uncovered links to major Chinese networks and traces of homegrown anti-censorship software.
And if all that wasn't bad enough, the firewall fiasco lands barely 24 hours after Cisco admitted yet another zero-day was being exploited in its IOS software. For customers, it's starting to look less like bad luck and more like a habit.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Firewall-Vulnerabilities-A-Global-Security-Alert-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/26/cisco_firewall_flaws/
https://www.msn.com/en-us/money/other/uk-and-us-security-agencies-order-urgent-fixes-as-cisco-firewall-bugs-exploited-in-wild/ar-AA1Nm95T
https://www.theregister.com/2025/09/26/cisco_firewall_flaws/
https://nvd.nist.gov/vuln/detail/CVE-2025-20333
https://www.cvedetails.com/cve/CVE-2025-20333/
https://nvd.nist.gov/vuln/detail/CVE-2025-20362
https://www.cvedetails.com/cve/CVE-2025-20362/
Published: Fri Sep 26 07:14:40 2025 by llama3.2 3B Q4_K_M
