Fast Facts

• Two zero-day flaws in Cisco ASA and FTD firewall software are being actively exploited.
• CISA issued an emergency directive, giving federal agencies 24 hours to apply fixes.
• The vulnerabilities allow attackers to bypass authentication and run code as ‘root’ - the device’s highest privilege.
• Exploitation is linked to a sophisticated threat group known as ArcaneDoor (UAT4356/Storm-1849).
• Global cyber agencies from the US, UK, Australia, and Canada are involved in the response.

The Digital Drawbridge Breached

Picture the front gate of a fortress - once thought impenetrable - quietly swung wide open by a silent hand in the night. That’s the reality facing organizations worldwide after the discovery of two zero-day vulnerabilities in Cisco’s widely used firewall systems. These flaws, buried deep in the software that guards the digital perimeters of banks, governments, and corporations, are now being exploited in real-world attacks, forcing cybersecurity authorities into high alert.

Inside the Attack: What’s at Stake?

The vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, strike at the heart of Cisco’s Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. In plain terms, attackers with - or in some cases, without - valid VPN credentials can send specially crafted web requests to the firewall, tricking it into running their malicious commands with the highest possible privileges. This is akin to a burglar not only picking the lock but gaining the master key to every room.

Even more alarming, the US Cybersecurity and Infrastructure Security Agency (CISA) reports that attackers have managed to manipulate the firewalls’ read-only memory (ROM), meaning their foothold can survive even a reboot or software upgrade - a rare and dangerous feat. The campaign is attributed to a highly skilled group dubbed ArcaneDoor (UAT4356 or Storm-1849), previously linked to advanced attacks on network devices worldwide.

Global Response and the Shadow of Past Breaches

In response, CISA has issued Emergency Directive ED 25-03, mandating immediate action by federal agencies. The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, a move reserved for the most urgent threats. The international effort, involving cybersecurity agencies from Australia, Canada, and the UK, underscores the scale and seriousness of the incident.

This isn’t the first time Cisco’s firewalls have been in the crosshairs. In 2023, similar devices were targeted by Chinese and Russian state-backed hackers, exploiting zero-day flaws to breach government and enterprise networks. The persistence of these attacks highlights the ongoing arms race between defenders and adversaries - and the high stakes for organizations relying on these digital gatekeepers.

Experts warn that such vulnerabilities are prized by both criminal and nation-state actors, who see them as golden tickets into otherwise well-defended networks. The potential for espionage, data theft, and even sabotage is real, especially when attackers can maintain access undetected for months.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Firewall: A firewall is a digital barrier that monitors and controls network traffic to protect internal systems from unauthorized access and cyber threats.
• Remote Code Execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.
• Authentication Bypass: Authentication bypass is a vulnerability that lets attackers skip or trick the login process, gaining access to systems without valid credentials.
• Read: Read is a browser feature that reads website text aloud, improving accessibility for users with visual impairments or reading difficulties.