Active Exploitation of Cisco ASA Zero Days

September 2025 Zero-Day Vulnerabilities Affecting Cisco Software

Cisco has reported that a sophisticated state-sponsored threat actor is actively exploiting multiple zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Cisco identifies this as the same threat actor from a previous campaign they named ArcaneDoor.

This threat actor primarily targets government networks worldwide for data exfiltration. Cisco observed attackers exploiting these newly identified zero-day vulnerabilities while employing advanced evasion techniques to prevent logging and identification of this activity.

The trend of suspected nation-state adversaries exploiting zero-day vulnerabilities in internet-facing devices continues. Also known as edge devices, these internet-facing appliances act as the security perimeter between an organization’s internal network and the public internet. This includes firewalls, VPN gateways, routers and load balancers. Compromising these devices provides a direct and often stealthy entry point into a network.

Details of the Vulnerabilities

Cisco published advisories for three critical vulnerabilities in ASA and FTD. Two of these, CVE-2025-20333 and CVE-2025-20362, are currently under active exploitation by adversaries in the wild. Cisco identified a third vulnerability, CVE-2025-20363, as being at high risk for imminent exploitation. These vulnerabilities allow attackers to execute arbitrary code, exfiltrate data and implant persistent malware to maintain access even after a device is rebooted.

As of Sep. 25, 2025, Cisco has released software updates to address all three vulnerabilities. It urges organizations to prioritize the immediate upgrade of all affected systems to the latest available software versions to mitigate the threat and prevent compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 25-03, mandating immediate mitigation for federal agencies due to the significant risk posed by this campaign. The vulnerabilities affect critical perimeter network devices, posing a substantial risk to both public and private sector organizations.

The U.K.’s National Cyber Security Center (NCSC) published a malware analysis report [PDF] on the RayInitiator and LINE VIPER malware families used in attacks to exploit these zero-day vulnerabilities. According to their analysis, RayInitiator is a multi-stage Grand Unified Bootloader (GRUB) bootkit that services reboots and firmware upgrades. It also deploys the LINE VIPER shellcode loader to Cisco ASA 5500-X series devices that do not have secure boot. LINE VIPER is loaded into memory by RayInitiator and it receives command and control instructions over WebVPN client authentication sessions over HTTPS or via ICMP with responses over raw TCP.

Lifecycle of Zero-Day Vulnerabilities

Adversaries, particularly nation-state actors, are dedicating significant resources to discovering and exploiting zero-day vulnerabilities in edge devices. Since these flaws are previously unknown, they provide attackers a critical window of opportunity before a vendor can release a patch. Once a zero-day is weaponized, attackers can use the exploit against a wide range of organizations using the same vulnerable product.

Additionally, after a nation-state actor successfully uses a zero-day exploit, the knowledge of that vulnerability and the methods for exploitation inevitably become less exclusive over time. This leads to a secondary, and often more widespread, phase of exploitation.

Other threat actors may reverse-engineer the original sophisticated exploit, or a public advisory and patch release from a vendor might reveal the underlying vulnerability. This disclosure acts as a blueprint for cybercriminal groups and opportunistic hackers.

These adversaries then develop their own proof-of-concept (PoC) code, which is often simpler and less stealthy than the nation-state’s original exploit, but still highly effective against unpatched systems. This PoC code is rapidly weaponized and sold on dark web forums or integrated into exploit kits, making the once-exclusive capability of a nation-state accessible to a much broader range of financially motivated attackers.

This phenomenon creates a “patch-or-perish” scenario, where organizations that fail to apply vendor patches promptly are left highly vulnerable to a new wave of mass-scale, opportunistic attacks.

Conclusion

Palo Alto Networks recommends patching immediately. Cisco also provides temporary mitigation guidance for devices that are vulnerable but unable to be updated. Those temporary mitigations include their own risks, such as disabling SSL/TLS-based VPN web services.

Palo Alto Networks recommends reviewing the following advisories for further information about the campaign and detecting this activity.

The Appendix to this article provides two hunting queries for our Cortex XDR and XSIAM customers to identify when logging is disabled or disrupted from Cisco ASA devices.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107

Additional Resources

Appendix

Unit 42 developed the following two hunting queries for our Cortex XDR customers to identify when logging is disabled or disrupted from Cisco ASA devices.

This query graphs all log types from Cisco ASA devices:

This query graphs debug and info logging from Cisco ASA devices (Note: debug and info logs require manual configuration):