{"uuid": "0878ff81-bcad-48b4-b1e5-06b610a5939d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Cisco AnyConnect/ASA - vulnerabilities", "description": "# Cisco Event Response: Continued Attacks Against Cisco Firewalls \n**Version 1: September 25, 2025**\n\nSummary\n-------\n\nIn May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.\n\nCisco dedicated a specialized, full-time team to this investigation, working closely with a limited set of affected customers. Our response involved providing instrumented images with enhanced detection capabilities, assisting customers with the analysis of packet captures from compromised environments, and conducting in-depth analysis of firmware extracted from infected devices. These collaborative and technical efforts enabled our teams to ultimately identify the underlying memory corruption bug in the product software.\n\nAttackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco\ufffds engineering and security teams.\n\nCisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco [reported](https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response) in early 2024.\n\nWhile the vulnerable software is supported across other hardware platforms with different underlying architectures as well as in devices that are running Cisco Secure Firewall Threat Defense (FTD) Software, Cisco has no evidence that these platforms have been successfully compromised.\n\nCisco strongly recommends that customers follow the guidance provided to determine exposure and courses of action.\n\nPersistence Capability\n----------------------\n\nDuring our forensic analysis of confirmed compromised devices, in some cases, Cisco has observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades.\n\nThese modifications have been observed only on Cisco ASA 5500-X Series platforms that were released prior to the development of Secure Boot and Trust Anchor technologies; no CVE will be assigned to the lack of Secure Boot and Trust Anchor technology support on these platforms. Cisco has not observed successful compromise, malware implantation, or the existence of a persistence mechanism on platforms that support Secure Boot and Trust Anchors.\n\nAffected Cisco ASA 5500-X Series Models\n---------------------------------------\n\nThe following Cisco ASA 5500-X Series models that are running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled, which do not support Secure Boot and Trust Anchor technologies, have been observed to be successfully compromised in this campaign:\n\n*   5512-X and 5515-X \u2013 Last Date of Support: August 31, 2022\n*   5525-X, 5545-X, and 5555-X \u2013 Last Date of Support: September 30, 2025\n*   5585-X \u2013 Last Date of Support: May 31, 2023\n\nThe following Cisco ASA 5500-X Series models, as well as all Cisco Firepower and Cisco Secure Firewall models, support Secure Boot and Trust Anchors:\n\n*   5505-X, 5506H-X, 5506W-X, 5508-X, and 5516-X \u2013 Last Date of Support: August 31, 2026\n\nNo successful exploitation of these vulnerabilities and no modifications of ROMMON have been observed on these models. They are included here due to the impending end of support.\n\nRecommended Actions\n-------------------\n\n**Step 1: Determine Device Model and Software Release**\n\nRefer to the tables provided below in the **Fixed Releases**  section of this page to determine if the software that is running on your device is affected by these vulnerabilities.\n\nIf you are running vulnerable software, proceed to Step 2.\n\n**Step 2: Assess the Device Configuration**\n\nUse the guidance provided in the security advisories listed in the **Details**  section of this page to determine whether VPN web services are enabled on your device.\n\nIf VPN web services are enabled on your device, proceed to Step 3.\n\n**Step 3: Remediate the Vulnerabilities**\n\n_Option 1: Upgrade (recommended, long-term solution)_\n\nCisco strongly recommends that customers upgrade to a fixed release to resolve the vulnerabilities and prevent subsequent exploitation.\n\nIf the device is vulnerable but cannot be upgraded due to end of life or support status, Cisco strongly recommends that the device be migrated to supported hardware and software.\n\n_Option 2: Mitigate (temporary solution only)_\n\nThe risk can also be mitigated by disabling all SSL/TLS-based VPN web services. This includes disabling IKEv2 client services that facilitate the update of client endpoint software and profiles as well as disabling all SSL VPN services.\n\n> **Disable IKEv2 Client Services**\n> \n> Disable IKEv2 client services by repeating the **crypto ikev2 enable <_interface\\_name_\\>** command in global configuration mode for every interface on which IKEv2 client services are enabled, as shown in the following example:\n> \n> ```\nfirewall# show running-config crypto ikev2 | include client-services\n crypto ikev2 enable outside client-services port 443 \nfirewall# conf t \nfirewall(config)# crypto ikev2 enable outside \nINFO: Client services disabled \nfirewall(config)#  \n```\n\n> \n> **Note:** Disabling IKEv2 client-services will prevent VPN clients from receiving VPN client software and profile updates from the device, but IKEv2 IPsec VPN functionality will be retained otherwise.\n> \n> **Disable all SSL VPN Services**\n> \n> To disable all SSL VPN services, run the no **webvpn** command in global configuration mode, as shown in the following example:\n> \n> ```\nfirewall# conf t \nfirewall(config)# no webvpn \nWARNING: Disabling webvpn removes proxy-bypass settings.\n Do not overwrite the configuration file if you want to keep existing proxy-bypass commands. \nfirewall(config)# \n\n```\n\n> \n> **Note:** All remote access SSL VPN features will cease to function after running this command.\n\n**Step 4: Recover Potentially Compromised Devices**\n\nFor Cisco ASA 5500-X Series devices that do not support Secure Boot (5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X), booting a fixed release will automatically check ROMMON and remove the persistence mechanism that was observed in this attack campaign if it is detected. When the persistence mechanism is detected and removed, a file called **_firmware\\_update.log_** is written to **disk0:** (or appended to if the file exists) and the device is rebooted to load a clean system immediately afterwards.\n\n**In cases of suspected or confirmed compromise on any Cisco firewall device, all configuration elements of the device should be considered untrusted.** Cisco recommends that all configurations \ufffd especially local passwords, certificates, and keys \ufffd be replaced after the upgrade to a fixed release. This is best achieved by resetting the device to factory defaults after the upgrade to a fixed release using the **configure factory-default** command in global configuration mode and then reconfiguring the device with new passwords, certificates, and keys from scratch. If the **configure factory-default** command should not be supported, use the commands **write erase** and then **reload** instead.\n\nIf the file **_firmware\\_update.log_** is found on **disk0:** after upgrade to a fixed release, customers should open\u202fa case with the [Cisco Technical Assistance Center (TAC)](https://www.cisco.com/c/en/us/support/index.html) with the output of the **show tech-support** command and the content of the **_firmware\\_update.log_** file.\n\nCurrent Status\n--------------\n\nThe software updates that are identified in the advisories in the following table address bugs that, when chained together, could allow an unauthenticated, remote attacker to gain full control of an affected device. The evidence collected strongly indicates that CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.\n\nThe persistence capability observed does not affect devices that support Secure Boot technology. Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor's attack chain and strongly recommends that all customers upgrade to fixed software releases.\n\nDetails\n-------\n\nOn September 25, 2025, Cisco released the following Security Advisories that address weaknesses that were leveraged in these attacks:\n\n\n\n* Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability\n  * CVE ID: CVE-2025-20333\n  * Security Impact Rating: Critical\n  * CVSS Base Score: 9.9\n* Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software and IOS XR Software HTTP Server Remote Code Execution Vulnerability\n  * CVE ID: CVE-2025-20363\n  * Security Impact Rating: Critical\n  * CVSS Base Score: 9\n* Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability\n  * CVE ID: CVE-2025-20362\n  * Security Impact Rating: Medium\n  * CVSS Base Score: 6.5\n\n\nFixed Releases\n--------------\n\nIn the following tables, the left column lists Cisco software releases. The middle columns indicate the first fixed release for each vulnerability. The right column indicates the first fixed release for all vulnerabilities in the advisories that are listed on this page. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.\n\n\n\n* Cisco ASA Software Release: 9.16\n  * First Fixed Release for CVE-2025-20333 Critical: 9.16.4.85\n  * First Fixed Release for CVE-2025-20363 Critical: 9.16.4.84\n  * First Fixed Release for CVE-2025-20362 Medium: 9.16.4.85\n  * First Fixed Release for all of These Vulnerabilities: 9.16.4.85\n* Cisco ASA Software Release: 9.17\n  * First Fixed Release for CVE-2025-20333 Critical: 9.17.1.45\n  * First Fixed Release for CVE-2025-20363 Critical: Migrate to a fixed release.\n  * First Fixed Release for CVE-2025-20362 Medium: Migrate to a fixed release.\n  * First Fixed Release for all of These Vulnerabilities: Migrate to a fixed release.\n* Cisco ASA Software Release: 9.18\n  * First Fixed Release for CVE-2025-20333 Critical: 9.18.4.47\n  * First Fixed Release for CVE-2025-20363 Critical: 9.18.4.57\n  * First Fixed Release for CVE-2025-20362 Medium: 9.18.4.67\n  * First Fixed Release for all of These Vulnerabilities: 9.18.4.67\n* Cisco ASA Software Release: 9.19\n  * First Fixed Release for CVE-2025-20333 Critical: 9.19.1.37\n  * First Fixed Release for CVE-2025-20363 Critical: 9.19.1.42\n  * First Fixed Release for CVE-2025-20362 Medium: Migrate to a fixed release.\n  * First Fixed Release for all of These Vulnerabilities: Migrate to a fixed release.\n* Cisco ASA Software Release: 9.20\n  * First Fixed Release for CVE-2025-20333 Critical: 9.20.3.7\n  * First Fixed Release for CVE-2025-20363 Critical: 9.20.3.16\n  * First Fixed Release for CVE-2025-20362 Medium: 9.20.4.10\n  * First Fixed Release for all of These Vulnerabilities: 9.20.4.10\n* Cisco ASA Software Release: 9.22\n  * First Fixed Release for CVE-2025-20333 Critical: 9.22.1.3\n  * First Fixed Release for CVE-2025-20363 Critical: 9.22.2\n  * First Fixed Release for CVE-2025-20362 Medium: 9.22.2.14\n  * First Fixed Release for all of These Vulnerabilities: 9.22.2.14\n* Cisco ASA Software Release: 9.23\n  * First Fixed Release for CVE-2025-20333 Critical: Not vulnerable.\n  * First Fixed Release for CVE-2025-20363 Critical: 9.23.1.3\n  * First Fixed Release for CVE-2025-20362 Medium: 9.23.1.19\n  * First Fixed Release for all of These Vulnerabilities: 9.23.1.19\n\n\n**Notes:**\n\n*   The fixed release for Cisco Secure ASA Software Release 9.12 is 9.12.4.72. It is available from the [Cisco Software Download Center](https://software.cisco.com/download/specialrelease/5c390a2391d7c51421843b43e70e8373).\n*   The fixed release for Cisco Secure ASA Software Release 9.14 is 9.14.4.28. It is available from the [Cisco Software Download Center](https://software.cisco.com/download/specialrelease/29ca8c3a3cc367a4c86144da9f77dabf).\n\n\n\n* Cisco FTD Software Release: 7.0\n  * First Fixed Release for CVE-2025-20333 Critical: 7.0.8.1\n  * First Fixed Release for CVE-2025-20363 Critical: 7.0.8\n  * First Fixed Release for CVE-2025-20362 Medium: 7.0.8.1\n  * First Fixed Release for all of These Vulnerabilities: 7.0.8.1\n* Cisco FTD Software Release: 7.1\n  * First Fixed Release for CVE-2025-20333 Critical: Migrate to a fixed release.\n  * First Fixed Release for CVE-2025-20363 Critical: Migrate to a fixed release.\n  * First Fixed Release for CVE-2025-20362 Medium: Migrate to a fixed release.\n  * First Fixed Release for all of These Vulnerabilities: Migrate to a fixed release.\n* Cisco FTD Software Release: 7.2\n  * First Fixed Release for CVE-2025-20333 Critical: 7.2.9\n  * First Fixed Release for CVE-2025-20363 Critical: 7.2.10\n  * First Fixed Release for CVE-2025-20362 Medium: 7.2.10.2\n  * First Fixed Release for all of These Vulnerabilities: 7.2.10.2\n* Cisco FTD Software Release: 7.3\n  * First Fixed Release for CVE-2025-20333 Critical: Migrate to a fixed release.\n  * First Fixed Release for CVE-2025-20363 Critical: Migrate to a fixed release.\n  * First Fixed Release for CVE-2025-20362 Medium: Migrate to a fixed release.\n  * First Fixed Release for all of These Vulnerabilities: Migrate to a fixed release.\n* Cisco FTD Software Release: 7.4\n  * First Fixed Release for CVE-2025-20333 Critical: 7.4.2.4\n  * First Fixed Release for CVE-2025-20363 Critical: 7.4.2.3\n  * First Fixed Release for CVE-2025-20362 Medium: 7.4.2.4\n  * First Fixed Release for all of These Vulnerabilities: 7.4.2.4\n* Cisco FTD Software Release: 7.6\n  * First Fixed Release for CVE-2025-20333 Critical: 7.6.1\n  * First Fixed Release for CVE-2025-20363 Critical: 7.6.1\n  * First Fixed Release for CVE-2025-20362 Medium: 7.6.2.1\n  * First Fixed Release for all of These Vulnerabilities: 7.6.2.1 \n* Cisco FTD Software Release: 7.7\n  * First Fixed Release for CVE-2025-20333 Critical: Not vulnerable.\n  * First Fixed Release for CVE-2025-20363 Critical: 7.7.10\n  * First Fixed Release for CVE-2025-20362 Medium: 7.7.10.1\n  * First Fixed Release for all of These Vulnerabilities: 7.7.10.1\n\n\nAdditional Information\n----------------------\n\nFor more information about detecting this attack, see [Detection Guide for Continued Attacks against Cisco Firewalls by the Threat Actor behind ArcaneDoor](https://sec.cloudapps.cisco.com/security/center/resources/detection_guide_for_continued_attacks). For further analysis if potentially malicious activity is identified, open a Cisco TAC case.\n\nAll customers are advised to upgrade to a fixed software release.\n\n* * *\n\nThis document is part of the [Cisco Security](https://www.cisco.com/security) portal. Cisco provides the official information contained on the [Cisco Security](https://www.cisco.com/security) portal in English only.\n\nThis document is provided on an \u201cas is\u201d basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.\n\n* * *\n\n[Back to Top](#)\n\n- CVE-2025-20333\n- CVE-2025-20363\n- CVE-2025-20362\n\n[CISA -  ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices ](https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices)\n[Cisco Event Response: Continued Attacks Against Cisco Firewalls](https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks)", "creation_timestamp": "2025-09-26T06:07:33.910905+00:00", "timestamp": "2025-09-30T09:57:17.901094+00:00", "related_vulnerabilities": ["CVE-2025-20363", "CVE-2025-20362", "CVE-2025-20333"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}