思科披露三个零日漏洞(CVE-2025-20333、CVE-2025-20362、CVE-2025-20363),其中两个被利用于野。威胁组织UAT4356通过恶意软件RayInitiator和LINE VIPER进行攻击。思科已发布补丁修复漏洞。 2025-9-25 21:47:18 Author: www.tenable.com(查看原文) 阅读量:3 收藏
September 25, 2025
5 Min Read
Cisco published advisories and a supplemental post about three zero-day vulnerabilities, two of which were exploited in the wild by an advanced threat actor associated with the ArcaneDoor campaign.
Update September 25: This FAQ blog has been updated to include a reference to an NCSC report on associated malware linked to this campaign.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding newly disclosed zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software that were exploited.
FAQ
When were these vulnerabilities first disclosed?
On September 25, Cisco published advisories [ 1 , 2 , 3 ] and a supplemental post regarding three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software, Firewall Threat Defense (FTD) Software, IOS XE Software, and IOS XR Software.
What are the vulnerabilities that were disclosed?
The following three vulnerabilities were disclosed. Two (CVE-2025-20333, CVE-2025-20362) were exploited in the wild.
| CVE | Description | CVSSv3 | Exploited |
|---|---|---|---|
| CVE-2025-20333 | Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE) | 9.9 | Yes |
| CVE-2025-20362 | Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability | 6.5 | Yes |
| CVE-2025-20363 | Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services RCE | 9.0 | No |
Were these vulnerabilities exploited as zero-days?
Yes, according to Cisco, CVE-2025-20333 and CVE-2025-20362 were exploited in the wild as zero-days. Both of these vulnerabilities, when chained together, allow an attacker to take over a vulnerable device.
Which threat actors are exploiting these vulnerabilities?
According to Cisco, the malicious activity associated with CVE-2025-20333 and CVE-2025-20362 is linked to UAT4356, also known as Storm-1849, the same threat actor behind the ArcaneDoor campaign from April 2024 .
Did UAT4356/Storm-1849 exploit any vulnerabilities in the ArcaneDoor campaign?
Yes, UAT4356 leveraged two vulnerabilities in the ArcaneDoor campaign:
CVE-2024-20353
Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service Vulnerability
Campaign
ArcaneDoor
Threat Actors
UAT4356 STORM-1849
Associated Malware
Line Dancer Line Runner
CVE-2024-20359
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability
Campaign
ArcaneDoor
Threat Actors
UAT4356 STORM-1849
Associated Malware
Line Dancer Line Runner
Was any malware used by UAT4356/Storm-1849 in this recent campaign?
The National Cyber Security Centre (NCSC) published an alert and a malware analysis report (MAR) detailing two pieces of malware associated with this campaign. The first malware, RayInitiator, is a multi-stage bootkit designed for persistence even if a device is rebooted or upgraded. The second malware, LINE VIPER, is a user-mode shellcode loader that deploys modular payloads to enable various post-compromise activities. It can be tasked and controlled through either HTTPS-based WebVPN sessions or ICMP.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
At the time this blog was published, there were no public proof-of-concept (PoC) exploits for any of the vulnerabilities associated with this campaign.
Cisco also patched CVE-2025-20363. Was this also exploited in the wild?
No. Cisco did not specifically call out CVE-2025-20363 as being exploited in the wild. According to the advisory, Cisco says it was found by members of Cisco’s Advanced Security Initiatives Group (ASIG) as part of a support case.
Are patches or mitigations available for CVE-2025-20333, CVE-2025-20362, CVE-2025-20363?
Yes, Cisco has released the following fixes for Cisco ASA and FTD.
| CVE | Affected Product | Affected Versions | Fixed Version |
|---|---|---|---|
| CVE-2025-20333 | Cisco ASA Software | 9.16, 9.17, 9.18, 9.19, 9.20, 9.22 | 9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3 |
| CVE-2025-20333 | Cisco FTD Software | 7.0, 7.2, 7.4, 7.6 | 7.0.8.1, 7.2.9, 7.4.2.4, 7.6.1 |
| CVE-2025-20363 | Cisco ASA Software | 9.16, 9.18, 9.19, 9.20, 9.22, 9.23 | 9.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, 9.23.1.3 |
| CVE-2025-20363 | Cisco FTD Software | 7.0, 7.2, 7.4, 7.6, 7.7 | 7.0.8, 7.2.10, 7.4.2.3, 7.6.1, 7.7.10 |
| CVE-2025-20362 | Cisco ASA Software | 9.16, 9.18, 9.20, 9.22, 9.23 | 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19 |
| CVE-2025-20362 | Cisco FTD Software | 7.0, 7.2, 7.4, 7.6, 7.7 | 7.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, 7.7.10.1 |
Cisco ASA Software:
- Cisco customers on the 9.17 branch must migrate to a fixed release to address CVE-2025-20363
- Cisco customers on the 9.17 and 9.19 branches must migrate to a fixed release to address CVE-2025-20362.
Cisco FTD Software:
- Cisco customers on the 7.1 and 7.3 branches must migrate to a fixed release to address all three vulnerabilities.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline .
Change Log
Update September 25: This FAQ blog has been updated to include a reference to an NCSC report on associated malware linked to this campaign.
Get more information
- Cisco Event Response: Continued Attacks Against Cisco Firewalls
- ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
- CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One , the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
- Exposure Management
- Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
如有侵权请联系:admin#unsafe.sh