Monday October 13, 2025

CISA Sound Alarm over Hackers Targeting Cisco Security Devices

Advisory ID: NCC-CSIRT-2025-016

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding ongoing attacks targeting Cisco ASA and Firepower devices, urging organizations to identify, analyse, and patch critical vulnerabilities immediately. The flaws allow unauthenticated remote code execution, privilege escalation, and firmware manipulation to maintain persistence even after reboots or upgrades.

The exploitation, linked to the ArcaneDoor (Storm-1849) threat group, has already compromised at least ten organizations worldwide, including several U.S. federal agencies. CISA noted that attackers have demonstrated the ability to tamper with read-only memory components since 2024.

Damage/Probability: High/Critical

Product(s): 

  • Cisco Adaptive Security Appliance (ASA) / ASA-based firewall software
  • Cisco Firepower / Firepower Threat Defense (FTD) appliances
  • End-of-support or legacy Cisco firewall hardware

Version(s): 

  • Cisco ASA / ASA firmware versions (across supported and unsupported releases)
  • Cisco Firepower / FTD software versions
  • Legacy ASA hardware reaching end-of-support (e.g. certain 5500-X series)

Platform(s): 

On-premises firewall and network edge infrastructure running Cisco ASA / Firepower; management and web services exposed via VPN/web services interfaces.

Description: 

Through its Emergency Directive, CISA has officially recognized a “widespread” exploitation campaign targeting Cisco ASA and Firepower devices. (Cybersecurity Dive) The exploited vulnerabilities (notably CVE-2025-20333, CVE-2025-20362, and, in some disclosures, CVE-2025-20363) allow attackers to obtain unauthenticated remote code execution, escalate privileges, and, critically, tamper with internal device firmware (read-only memory modules) so that malware or implants survive reboots and upgrades.

In practice, the attacker chain might proceed as follows:

  1. Use CVE-2025-20333 to gain unauthenticated remote code execution on a vulnerable ASA / ASA-web services interface.
  2. Use CVE-2025-20362 (privilege escalation) or other methods to gain full administrative/root privileges.
  3. Modify ROM / firmware or boot components to embed malicious implants (e.g., replacing or altering ROMMON) so that control is retained across reboots, firmware upgrades, and factory resets.
  4. Use the compromised firewall as a pivot point into internal networks, intercept or redirect traffic, or exfiltrate data.

Cisco itself has indicated that attackers utilized advanced evasion techniques, disabling logging, crashing devices to prevent diagnostic analysis, intercepting CLI commands, and tampering with boot mechanisms.

CISA’s directive notes that some ASA devices will reach end-of-support on 30 September 2025, and mandates their full decommissioning. The directive also mandates forensic core dumps, assessments of compromise, removal of compromised devices, upgrade or replacement of vulnerable systems, and reporting to CISA.

Impacts: 

  • Complete compromise of firewall appliances, enabling attackers to intercept, reroute, or modify network traffic
  • Persistence even after firmware upgrades/reboots, making detection and cleanup extremely difficult
  • Lateral movement into downstream systems and network segments
  • Exfiltration of sensitive data, credential theft, internal espionage
  • Disruption of network security controls or denial of service
  • Reputational/regulatory / compliance fallout for organizations relying on affected infrastructure

Solutions: 

  1. Immediately inventory all Cisco ASA and Firepower / FTD devices in use, especially those with VPN or web services enabled.
  2. Decommission / permanently disconnect ASA hardware that reaches or passes end-of-support (particularly those that go end-of-support on 30 Sept 2025).
  3. For supported devices, immediately upgrade firmware/software to Cisco’s patched versions (apply latest updates and subsequent releases within 48 hours of availability).
  4. Reset device configurations: treat all configurations, credentials, certificates, and keys as potentially compromised. Rebuild or reconfigure from scratch where possible after patching.
  5. Segregate/restrict access: management and administrative interfaces should be accessible only from trusted internal networks or VPN tunnels; ensure no exposure to the public internet if not strictly necessary.
  6. Monitor logs, traffic, and anomalies: flag unexpected firmware integrity deviations, abnormal traffic flows, or CLI/admin changes.
  7. Report inventory, actions taken, and outcomes to the relevant oversight authority (for U.S. federal: to CISA) by the required deadline (by Oct 2, 2025, for inventory).
  8. Engage in threat hunting and retrospective audits to identify whether lateral movement or secondary compromises have occurred.

What Organizations Should Do

Ensure that critical firewall and network infrastructure devices aren’t being overlooked; these are high-value targets.

  1. Maintain an up-to-date inventory of network edge devices, firmware versions, and support status.
  2. Subscribe to vendor security advisories and threat intelligence feeds; act on zero-day alerts quickly.
  3. Introduce firmware integrity checks or attestation mechanisms where feasible.
  4. Enforce the principle of least privilege and restrict management channel access.
  5. Periodically rehearse incident response and evacuation of compromised infrastructure.

Train administrators to recognise signs of firmware/ROM tampering, as well as anomalies in firewall behaviour.

References: