- CISA warns of active utilization of two critical Cisco -vulnerabilities
- Attackers change rum to continue across restarts; Attached to state -sponsored group arcanedoor
- Agencies must patch, analyze and report Cisco -Unit Status by October 2nd 2025
The US Cyber Security and Infrastructure Security Agency (CISA) calls on government agencies to tackle two worrying Cisco safety vulnerability, warning threat lactors actively exploit the shortcomings.
Under the Nutout Directive 25-03, published on September 25, 2025, CISA said there is a “widespread” attacking campaign targeting Cisco-adaptive appliances and Firepower Firewall devices.
In the campaign, attackers change Read-Only Memory (Rome) to continue across restarts and upgrades. To achieve this persistence, threat players utilize two deficiencies: CVE-2025-20333 (Execution for Remote Code) and CVE-2025-20362 (Privilege scaling). While the latter has a medium rating (6.3/10), the former is considered critical with a 9.9/10 score.
State activity
To make things worse, Cisco believes the questions two are exploited by a group traced as Arcanedoor (or Storm-1849 by Microsoft).
The cybersecurity community believes that Arcanedoor is a state-sponsored threat actor, but it is still unknown which state it belongs to.
“Cisco estimates that this campaign is associated with the Arcanedoor activity identified in early 2024 and that this threat actor has shown a capacity to successfully change ASA Rome at least as early as 2024,” Cisa said in the report.
Now federal agencies must act quickly and defend their infrastructure or risk being attacked.
It includes ongoing inventory of all Cisco ASA and Firepower devices, running forensic analysis using CISA’s core dump and hunting instructions, linking compromised or end-of-LIFE devices and using updates. Then, agencies are required to report their findings and stock back to CISA by October 2, 2025.
Meanwhile, both vulnerabilities were added to CISA’s known utilized vulnerability (KEV) catalog, giving federal agencies a three -week deadline (until October 16) to patch up or stop using the vulnerable tools completely.
CISA did not mention who Arcanedoor is targeting, but in general, Cisco’s ASA and Firepower devices are generally, besides having managed security service providers and educational companies.
