Thursday November 27, 2025

Cisco warns of “New Attack Variant” Battering Firewalls, Unpatched ASA /FTD Devices Exploited for Code Execution, Persistence and DoS

Advisory ID: NCC-CSIRT-2025-024

Summary: 

Cisco has warned of a new attack variant exploiting two zero-day flaws, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD VPN/Web interfaces, enabling unauthenticated RCE (Remote Code Execution), unauthorized access, and persistent DoS attacks through continuous device reloads. The campaign, active since May 2025, leverages advanced malware like RayInitiator and LINE VIPER to achieve persistence and evade detection. CISA and allied CERTs have classified the vulnerabilities as actively exploited, urging organizations to apply patches immediately, perform forensic checks (core-dumps), and restrict or rebuild compromised systems.

Damage/Probability: Critical/High

CVE(s): CVE-2025-20333 and CVE-2025-20362

Product(s): 

  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
  • Cisco Secure Firewall Threat Defense (FTD) Software
  • Affected management interfaces: VPN/WebVPN (HTTP/HTTPS) services and related web UI components

Version(s): 

Releases of ASA and FTD containing the VPN/Web server components affected by CVE-2025-20333 and CVE-2025-20362 before Cisco’s published fixes. (Confirm exact build numbers via Cisco Security Advisory.)

Platform(s): 

  • Enterprise and service-provider perimeter/firewall appliances (on-premises ASA hardware
  • ASAv virtual appliance
  • Firepower/FTD deployments, especially devices exposing VPN web interfaces to the internet

Description: 

Two related vulnerabilities disclosed in late September 2025, CVE-2025-20333 (a critical buffer-overflow/RCE in the VPN/Web server) and CVE-2025-20362 (an authorization bypass exposing restricted endpoints), have been weaponized in active campaigns. Attackers have chained these issues to execute arbitrary code as root on vulnerable ASA/FTD devices, create backdoor accounts, disable or adulterate logging, and, in the newest variant, intentionally trigger firmware reloads, producing persistent DoS conditions. Reports indicate the campaign is an evolution of the ArcaneDoor/Storm-1849 activity observed in 2024 and has delivered multiple malware strains (including RayInitiator and LINE VIPER) to affected devices.

Investigations show large numbers of internet-connected ASA/FTD devices remained unpatched as of late September 2025, providing a wide attack surface. In several cases, devices showed signs of tampering that complicate removal (e.g., persistence mechanisms beyond simple file remnants). Authorities recommend treating any evidence of compromise as serious and following forensic guidance (core dumps and coordinated analysis).

Impacts: 

  • Full administrative compromise
  • Persistent backdoors (firmware tampering)
  • Network outages via forced reboot loops
  • Lateral movement into protected networks.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

  • Apply Cisco patches for CVE-2025-20333 and CVE-2025-20362 on all ASA/ASAv/FTD devices.
  • Follow CISA ED-25-03 and rebuild any compromised or tampered devices.
  • Disable unused WebVPN/admin interfaces and restrict management access.
  • Rotate admin credentials, review logs, and monitor for new privileged accounts.
  • Hunt for anomalies like reload loops, cleared logs, or unknown connections.
  • Strengthen logging, SIEM monitoring, and alerts for unusual activities.
  • Replace unsupported or legacy ASA devices lacking Secure Boot protections.
  • Restrict or disable internet-facing VPN interfaces and monitor for attacks.
  • Perform forensic checks for implants and coordinate with CERT or Cisco IR.

References: