Cisco urges customers to patch two security flaws that affect the VPN web servers of the Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software.
The zero-day vulnerabilities in question are listed below –
CVE-2025-20333 (CVSS score: 9.9) – Inappropriate validation of user-supported input on HTTP requires a vulnerability that allows an authenticated remote attacker with valid VPN user credentials to execute arbitrary code as root as root by requesting cve-2025-20362 for CVE-2025-20362. Inappropriate validation of user-supported input over HTTP requests a vulnerability that allows an uncreated remote attacker to send created HTTP requests to access restricted URL endpoints without authentication.
Cisco said it recognizes “attempts to exploit both vulnerabilities, but did not reveal who is behind it or how widespread the attacks are. Two vulnerabilities are suspected to be chained to bypass authentication and run malicious code on sensitive appliances.
They also evaluated the Australian Signals Bureau, the Australian Cybersecurity Centre (ACSC), the Canada Cybersecurity Centre, the UK National Cybersecurity Centre (NCSC), and the US Cybersecurity and Infrastructure Security Agency (CISA) as supporting the investigation.
CISA issues emergency directive ED 25-03
In another alert, CISA said it is issuing emergency directives urging federal agencies to immediately and effectively identify, analyze and mitigate potential compromises. Additionally, both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog and are given to agents 24 hours a day to apply the necessary mitigations.
“CISA recognizes the ongoing exploitation campaigns by advanced threat actors targeting Cisco Adaptive Security Appliances (ASAs),” the agency said.
“This campaign is widely popular and leverages zero-day vulnerabilities to acquire remote code execution that is not certified on the ASA, and manipulates read-only memory (ROM) to maintain reboots and system upgrades. This activity poses a significant risk to the victim network.”
Agents have also previously identified as providing malware families such as Line Runner and Line Dancer, as activities are linked to threat clusters called Arcanedoors and have previously been identified as target peripheral network devices from several vendors, including Cisco. This activity was attributed to a threat actor called UAT4356 (aka Storm-1849).
“This threat actor demonstrates his ability to successfully change ASA ROMs, at least as early as 2024,” CISA added. “These zero-day vulnerabilities in the Cisco ASA platform also exist in certain versions of Cisco Firepower. The safe boots of firepower detect the identified operations of the ROM.”
Source link
