IntroductionOn September 25, 2025, Cisco released a security advisory to patch three security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software, which have been exploited in the wild. These three vulnerabilities are tracked as CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363. The sophisticated state-sponsored campaign has been actively exploiting these critical zero-day vulnerabilities since May 2025. The campaign, attributed to UAT4356/Storm-1849 (linked to China-based threat actors), represents a significant evolution of the ArcaneDoor attack methodology, employing advanced persistence mechanisms that survive device reboots and firmware upgrades. The attack leverages a URL path-normalization flaw that can bypass session verification for protected Clientless SSL VPN (WebVPN) endpoints, as well as a heap buffer overflow in the WebVPN file-upload handler, which can result in information disclosure.Of the three vulnerabilities, CVE-2025-20363 and CVE-2025-20362 do not require authentication, while CVE-2025-20333 does require authentication. All three vulnerabilities operate over HTTP(S), targeting the web services running on vulnerable devices.The Cybersecurity & Infrastructure Security Agency (CISA) released an emergency directive outlining urgent requirements and mitigation steps for organizations: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices.Affected VersionsThe following Cisco ASA 5500-X Series models, running Cisco ASA Software Release 9.12 or 9.14 with VPN web services enabled and without Secure Boot and Trust Anchor technologies, are susceptible to attacks:5512-X and 5515-X5525-X, 5545-X, and 5555-X5585-XRecommendationsFor CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363Identify all Cisco ASA/FTD devices: Compile a complete inventory of all ASA and FTD devices deployed in your organization’s infrastructure.Apply the patch: Cisco released a patch to address these vulnerabilities on all ASA, ASAv, and FTD devices.Perform threat hunting: Follow CISA’s Core Dump and Hunt Instructions Parts 1–3 for public-facing ASA devices and federal agencies are instructed to submit core dump results via the Malware Next Gen Portal by 11:59 PM EDT on September 26, 2025. Although CISA mandates this guidance for federal agencies, it strongly recommends that all organizations follow the outlined steps.If compromise is detected, immediately disconnect the device from the network (do not power off) and report the incident to CISA. In cases of suspected or confirmed compromise on any Cisco ASA device, Cisco recommends that all configurations – especially local passwords, certificates, and keys – be replaced after the upgrade to a fixed release. You should reset the device to factory default after the upgrade to a fixed release and then reconfigure the device from scratch with new passwords, and re-generate certificates and keys.If compromise is NOT detected, continue with patching and additional mitigation efforts.Ensure ongoing updates for existing devices: For ASA hardware models with an EoS date after August 31, 2026, as well as ASAv and Firepower FTD appliances, download and apply the latest Cisco-provided software updates by 11:59 PM EDT on September 26, 2025, and ensure all subsequent updates are applied within 48 hours of release via Cisco’s download portal.AttributionUAT4356 is a well-resourced, China-aligned threat actor specializing in perimeter device exploitation. The group targeted older Cisco ASA 5500-X appliances such as models 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X, running ASA software versions 9.12 or 9.14 with exposed VPN web services. All targeted devices, nearing or past their September 30, 2025 EoS dates, lacked secure boot protections, which made them vulnerable to firmware manipulation.In 2024, UAT4356 was observed exploiting two ASA/FTD zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to deploy Line Runner and Line Dancer malware.How it worksAs reported by Cisco, the initial investigation started in May 2025, revealing that attackers exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. The attackers have been observed delivering the following malware families: RayInitiator: Advanced bootkit targeting Cisco ASA 5500-X devices, providing attackers with persistence through GRUB bootloader modifications and direct manipulation of core system binaries.LINE VIPER: Modular payload system that enables attackers to execute commands, capture network traffic, bypass authentication, suppress logs, and clear traces using encrypted communication via WebVPN sessions and ICMP channels. It includes anti-forensic capabilities, such as forced reboots during core dumps, ensuring stealth and precision targeting.Possible ExecutionReconnaissance: Extensive scanning of internet-facing ASA/FTD devices, particularly WebVPN/HTTPS interfaces, as reported by GreyNoise with two major spikes in late August involving over 25,000 unique IPs.Initial Access: Abuse of CVE-2025-20362 (WebVPN authentication bypass) to access vulnerable execution pathways.Exploitation: Use of CVE-2025-20333 and related bug chains to exploit buffer/heap overflow vulnerabilities, achieving remote or semi-authenticated code execution within the ASA process context.Privilege Escalation and Memory Execution: Deploy Line VIPER shellcode in ASA userland, enabling attackers to execute arbitrary commands and loaders.Persistence: Flash RayInitiator bootkit into ROMMON, allowing attackers to maintain firmware-level persistence that survives reboots and updates.Post-Exploitation: Packet capture, configuration dumps, backdoor account creation, exfiltration of configs/logs, and systematic disabling of logging mechanisms.Command-and-control (C2) Communication: Utilize WebVPN/HTTPS sessions or ICMP channels with victim-specific encryption keys to manage implants.Anti-Forensics: Suppress syslog entries, tamper with diagnostic counters, intercept CLI commands, and crash devices to obstruct forensic analysis.Exploit Chaining: Attackers combine CVE-2025-20362 for login bypass with CVE-2025-20333 for code execution.Targeting EoS Devices: Focus on ASA 5500-X series devices running ASA firmware versions 9.12 or 9.14, which are nearing or past their end-of-support (EoS) dates.Defensive Evasion: Systematic suppression of security logs (specific syslog IDs), forced reboots, and interception of CLI commands to erase traces of activity.No Evidence of Lateral Movement: Intruders appear focused solely on espionage and data extraction from perimeter devices, without leveraging compromised ASAs for further network intrusion.Attack ChainFigure 1: Diagram depicting the attack chain associated with Cisco ASA devices.How Zscaler Can HelpZscaler’s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement—no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.Zscaler Private Access™ (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.Deploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection.Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture.Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture:Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.Prevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole.Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more. Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks:Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.Limit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation.Prevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic with Zscaler Private Access.Use Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads.Detect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception.Identify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access.Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources.Turn on Advanced Threat Protection to block all known command-and-control domains.Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C2 destinations.Best PracticesFollow CISA DirectivesTimely compliance with CISA’s Emergency Directive on Cisco Vulnerabilities is critical for minimizing the impact of these vulnerabilities.Implement zero trust architecture Enterprises must rethink traditional approaches to security, replacing vulnerable appliances like VPNs and firewalls. Implementing a true zero trust architecture, fortified by AI/ML models, to block and isolate malicious traffic and threats is a critical foundational step. Prioritize user-to-application segmentation where you are not bringing users on the same network as your applications. This provides an effective way to prevent lateral movement and keep attackers from reaching crown jewel applications. Proactive Measures to Safeguard Your EnvironmentIn light of the recent vulnerabilities affecting CISCO, it is imperative to employ the following best practices to fortify your organization against potential exploits.Minimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access.Prevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.Enforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.Block unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests.Eliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.Shutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.Stop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.Deploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time.Cultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise.Test your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team.ConclusionCisco Firewall and VPN devices continue to face severe security threats due to multiple zero-day vulnerabilities exploited by state-backed bad actors, as seen in the past. While the initial disclosure was limited to two CVEs, another CVE was added during the analysis, and as seen in other high-profile zero-day attack campaigns, there may be more.It is critical for organizations to act quickly on the mitigation steps and ideally prioritize Zero Trust architecture, as we will continue to see large-scale exploitation attempts of these internet-exposed legacy devices (VPNs & Firewalls).

*** This is a Security Bloggers Network syndicated blog from Security Research | Blog authored by Atinderpal Singh (Sr. Staff Threat Researcher). Read the original post at: https://www.zscaler.com/blogs/security-research/cisco-firewall-and-vpn-zero-day-attacks-cve-2025-20333-and-cve-2025-20362