Actively exploited: Cisco ASA and FTD hit via two zero-day flaws

Cisco has warned of two critical vulnerabilities affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, both already exploited in the wild. 

How the vulnerability works 

The first flaw, tracked as CVE-2025-20333 (CVSS score: 9.9), is an input validation bug in HTTP(S) requests. It allows a remote authenticated attacker with valid VPN credentials to execute arbitrary code as root by sending specially crafted HTTP requests. 

The second, CVE-2025-20362 (CVSS score: 6.5), stems from the same input validation issue but can be abused without authentication. Attackers can access restricted URL endpoints simply by sending crafted requests, bypassing security controls. 

Why this is so dangerous 

Cisco has acknowledged “attempted exploitation” of both vulnerabilities and suspects they may be chained together to bypass authentication and execute malicious code on affected appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaws to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive requiring federal agencies to apply mitigations within 24 hours. 

The attacks are linked to the threat cluster ArcaneDoor, previously tied to campaigns targeting network devices from multiple vendors. CISA notes that attackers are also attempting to manipulate the devices’ read-only memory to persist across reboots and upgrades.  

Mitigation and next steps  

Cisco has released software updates addressing both flaws and urged customers to patch immediately. 

To address CVE-2025-20333 on Cisco ASA, update to: 

• 9.16.4.85 
• 9.17.1.45 
• 9.18.4.47 
• 9.19.1.37 
• 9.20.3.7 
• 9.22.1.3 

To address CVE-2025-20362 on Cisco ASA, update to: 

• 9.16.4.85 
• 9.18.4.67 
• 9.20.4.10 
• 9.22.2.14 
• 9.23.1.19 

On Cisco FTD, both CVEs can be addressed by updating to versions 7.0.8.1, 7.4.2.4, or 7.6.1. 

Need help?

If you have any questions, don't hesitate to reach out.