There is an ongoing, widespread attack campaign that is exploiting two zero days in some of Cisco’s Adaptive Security Appliance (ASA) products to gain remote code execution and modify the ROM on the devices. Cisco’s Talos threat intelligence team said this campaign is the work of an actor it tracks as UAT4356, an APT team that has previously targeted ASA devices in similar campaigns. 

The attacks are exploiting CVE-2025-20333 and CVE-2025-20362, both of which are present in various versions of the ASA software. The former vulnerability is a critical remote code execution bug that’s in the VPN web server component of ASA and the Cisco Secure Firewall Threat Detection software. The latter bug is a privilege escalation vulnerability that Cisco rates a medium risk. 

Cisco released advisories for both vulnerabilities on Sept 25 and has provided fixed versions of the affected software. The company said it was confident that these attacks were related to the previous activity by UAT4356, which it referred to as ArcaneDoor. Cisco became aware of the current exploit attempts in May, when several government agencies alerted the company to attacks that were targeting the ASA devices to install sophisticated malware. 

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams.” Cisco said.

“During our forensic analysis of confirmed compromised devices, in some cases, Cisco has observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades.”

On Thursday, CISA released an Emergency Directive that directs all federal civilian agencies to take immediate action to assess the vulnerability of any ASA appliances on their network and take remedial action or disconnect any devices that can’t be patched. 

Exploit activity

The exploitation activity that’s been seen so far involves the attackers modifying the compromised device’s ROM in order to maintain persistence, even after a reboot.

“CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks,” the CISA directive says.  

“Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances' Secure Boot would detect the identified manipulation of the ROM.”

The ROM modifications were only seen on Cisco ASA 5500-X Series platforms that were released before the Secure Boot and Trust Anchor technologies were available.

The team at GreyNoise has released a new intelligence report on a surge in scanning for Cisco ASA appliance before the disclosure of the two zero day vulnerabilities. This is a clear indication that attackers knew about the bugs before the public disclosure of them.

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.