- Attackers exploit two zero-days in Cisco ASA firewalls for remote access and persistence
- The campaign uses stealth tactics such as log-disabling and firmware manipulation to avoid detection
- Cisco encourages upgrades to Secure Boot-enabled models and hard resets of compromised devices
Cisco is warning customers about an ongoing campaign against companies using some of its services after learning of a “new attack variant” recently.
In a new report, the company said it observed an ongoing campaign targeting Cisco ASA 5500-X Series and Secure Firewall devices. The attackers are exploiting two critical zero-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which could allow them to gain remote access, execute arbitrary code, deploy malware, and sometimes even cause Denial of Service (DoS) reboots on unpatched devices.
The attacks began in May 2025, Cisco explained, stressing that the “new variant” is not a separate piece of malware, but rather an updated attack technique — essentially an evolved version of the same activity linked to the 2024 ArcaneDoor threat actor.
Advanced evasion techniques
In these attacks, the threat actors exploit VPN web services on older ASA models that lack Secure Boot and Trust Anchor protections, disable logs, and manipulate the ROMMON firmware to maintain persistence even after reboots.
To remain hidden and hinder any forensic investigation, the threat actors used stealth and advanced evasion techniques, Cisco added:
“Attackers were observed to have exploited multiple zero-day vulnerabilities and used advanced evasion techniques such as disabling logging, intercepting CLI commands, and deliberately degrading devices to prevent diagnostic analysis,” Cisco said.
“The complexity and sophistication of this incident required a comprehensive, multidisciplinary response across Cisco’s engineering and security teams.”
To mitigate the threat, Cisco advises users to identify affected models and firmware, check whether VPN web services are enabled, upgrade to patched versions or disable SSL/TSL-based VPN web services as a temporary measure, and then reset compromised devices to factory settings before updating passwords, certificates, and keys.
Only older, unsupported ASA 5500-X devices have been confirmed compromised, while newer Secure Boot-enabled firewalls appear resistant, Cisco emphasized, urging all customers to upgrade.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
