Cisco has confirmed two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. One flaw (CVE-2025-20333, CVSS 9.9) allows remote code execution, while the other (CVE-2025-20362, CVSS 6.5) enables unauthenticated access to restricted URLs. Together, these issues provide attackers with a pathway from authentication bypass to full device compromise.
Cisco has published an event response to the continued attacks which includes detailed recommended actions. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive 25-03, giving federal agencies just 24 hours to identify and mitigate affected devices. The urgency reflects the severity: these vulnerabilities strike at the gateways to enterprise and government networks.
What’s at Risk
Cisco’s ASA and FTD appliances often serve as the first line of defense with handling VPN access, firewall rules, and traffic inspection. Compromise at this layer allows adversaries to:
- Deploy custom malware and webshells.
- Escalate privileges to root and persist across reboots by tampering with read-only memory (ROM).
- Intercept or manipulate traffic flowing into the network.
Threat intelligence links this activity to ArcaneDoor, a sophisticated campaign previously observed targeting perimeter infrastructure. Recent reports confirm attackers chaining vulnerabilities, disabling logging, and even corrupting diagnostics to evade detection.
Penetration testing and Vulnerability Management services can help organizations proactively search for indicators of compromise (IoCs) within ASA/FTD appliances and ensure persistence mechanisms like ROM tampering are identified quickly.
Scale of Exposure
Despite repeated warnings, more than 48,000 internet-facing ASA/FTD instances remain unpatched, according to Shadowserver scans. The majority are located in the U.S., followed by the U.K., Japan, Germany, and Canada.
The delay in patching exposes organizations to real-time scanning campaigns already observed by the threat intel community. In many cases, scans preceded Cisco’s public disclosure, indicating adversaries had early knowledge of these flaws.
Required Actions & Mitigations
Cisco continues to release updates and detailed guidance. For organizations unable to patch immediately, temporary mitigations include restricting VPN web interface exposure and monitoring for crafted HTTP requests or suspicious logins.
Focus on these immediate steps:
- Patch & Harden: Apply Cisco’s fixes where available; otherwise, restrict HTTP(S) access to the VPN component. Ensure devices are properly managed and hardened through a configuration audit.
- Firmware Integrity: Verify ROM and firmware integrity, leveraging Secure Boot if supported.
- Network Monitoring: Deploy anomaly detection and behavioral monitoring on VPN traffic. Managed SIEM with User Entity and Behavior Analytics (UEBA) can detect abnormal logins, unusual session activity, and persistence attempts in real-time on edge devices.
- Credential Security: Replace local passwords, certificates, and keys on potentially impacted devices. A comprehensive risk assessment evaluates identity and access management controls against best practice frameworks like NIST and CIS.
Why This Matters
Zero-days in perimeter appliances are uniquely dangerous: they sit in trusted positions, often unmonitored, and provide attackers with deep footholds when compromised. For SMBs and enterprises alike, compromise of a firewall or VPN gateway can mean attackers control the gate into your environment.
As one analyst noted, “When a firewall is compromised at root level, defending becomes almost impossibly reactive. The best time to act is before compromise.”
Conclusion
The Cisco ASA and FTD vulnerabilities highlight a critical reality: perimeter devices are some of the most attractive targets for threat actors. A single exploited flaw in a firewall or VPN gateway can provide attackers with direct access to internal networks, persistence mechanisms, and even the ability to wipe forensic evidence.
Organizations cannot treat these devices as “set-and-forget” infrastructure. They demand continuous attention by patching on short timelines, hardening configurations, and validating controls against real-world attacks.