- Cisa warns the active exploitation of two critical vulnerabilities of Cisco
- The attackers modify the ROM to persist through the restarts; linked to the group sponsored by the Arcanedoor State
- The agencies must patcher, analyze and report the state of the Cisco system by October 2, 2025
The American Cybersecurity and Infrastructure Safety Agency (CISA) urges government agencies to approach two disturbing Cisco security vulnerabilities, warning threat actors actively exploit defects.
According to emergency directive 25-03, published on September 25, 2025, the CISA said that there was a “widespread” attack campaign targeting Cisco adaptive devices and firewall aircraft.
In the campaign, the attackers modify the memory in reading alone (ROM) to persist through the restarts and the upgrades. To achieve this persistence, the actors of the threat take advantage of two faults: CVE-2025-20333 (execution of the remote code) and CVE-2025-20362 (climbing of privileges). While the second has an average note (6.3 / 10), the first is deemed critical, with a score of 9.9 / 10.
State activity
To worsen things, Cisco thinks that problems two are exploited by a group followed as Arcaneroor (or Storm-1849 by Microsoft).
The Cybersecurity Community believes that Carteroor is an actor of a threat sponsored by the State, but it is not yet known to whom it belongs.
“Cisco estimates that this campaign is linked to the Arcaneor activity identified at the beginning of 2024 and that this threat actor demonstrated an ability to successfully modify Asa Rom at least from 2024,” said Cisa in the report.
From now on, federal agencies must act quickly and defend their infrastructure or risk being attacked.
This includes the inventory of the execution of all Cisco Asa and Firepower devices, performing the forensic analysis using the basic lamp and hunting instructions, by disconnecting compromise or end of life devices and applying updates. After that, agencies are ordered to report their conclusions and their inventory to the CISA by October 2, 2025.
Meanwhile, the two vulnerabilities have been added to the known catalog of the exploited vulnerabilities of CISA (KEV), giving the federal agencies a deadline for three weeks (until October 16) to repair or stop using vulnerable tools.
The CISA did not mention who targeted Arcaneroor, but in general, in addition to government and public sector organizations, Cisco ASA and Firepower systems are widely used by companies and companies, managed security service providers and education and research companies.
