- Attackers exploit two zero days in Cisco ASA firewalls for remote access and persistence
- The campaign uses stealth tactics such as disabling logs and tampering with firmware to evade detection.
- Cisco recommends upgrading Secure Boot compatible models and completely resetting compromised devices
Cisco is warning customers of an ongoing campaign against businesses using some of its services, after recently becoming aware of a “new attack variant.”
In a new report, the company said it observed an ongoing campaign targeting Cisco ASA 5500-X Series and Secure Firewall devices. Attackers are exploiting two critical zero-day vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, which could allow them to remotely access, execute arbitrary code, deploy malware, and sometimes even cause denial of service (DoS) reboots on unpatched devices.
The attacks began in May 2025, Cisco explained, and emphasized that the “new variant” is not a separate piece of malware, but rather an updated attack technique – essentially, an evolved version of the same activity linked to the 2024 ArcaneDoor threat actor.
Advanced escape techniques
In these attacks, threat actors exploit VPN web services on older ASA models lacking Secure Boot and Trust Anchor protection, disabling logs and tampering with ROMMON firmware to maintain persistence, even after reboots.
To remain hidden and hinder any forensic investigation, the threat actors used advanced stealth and evasion techniques, Cisco added:
“Attackers were observed to have exploited several zero-day vulnerabilities and used advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally blocking devices to prevent diagnostic scanning,” Cisco said.
“The complexity and sophistication of this incident required a broad, multidisciplinary response from Cisco’s engineering and security teams. »
To mitigate the threat, Cisco advises users to identify affected models and firmware, check whether VPN web services are enabled, upgrade to patched versions or disable SSL/TSL-based VPN web services as a temporary measure, and then reset compromised devices to factory default settings before refreshing passwords, certificates, and keys.
Only older, unsupported ASA 5500-X devices have been confirmed compromised, while new Secure Boot-enabled firewalls appear resilient, Cisco emphasized, urging all customers to upgrade.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
