New Zero Days Exploited by Cisco Firewalls Lead to Widespread Hack

Bill Thompson
By Bill Thompson
Technology
7 Min Read

A frantic security scramble is under way as attackers begin exploiting two zero-day vulnerabilities in Cisco firewall products, one of which splintered from the controversial Equation Group and has reignited debate about errant state-sponsored hacking.

The campaign was characterized as far-reaching, with signs that attackers could have full control of infected devices and remain on them even after the device is restarted or updated.

Table of Contents
A professional, enhanced image of a Cisco network switch with its original background featuring abstract colorful dots and a cluster of red and orange exclamation marks. The image is resized to a 1 6:9 aspect ratio. Filename : cisco networkswitch enhanced.png

What We Know About the Cisco Firewall Vulnerability

Cisco, for its part, in two separate advisories – tracked as CVE-2025-20362 and CVE-2025-20333 – revealed zero-day vulnerabilities affecting both its firewall appliances and security software. Chained together, the vulnerabilities could be used in an exploit to give an unauthenticated remote attacker full administrative access to affected devices. Cisco said that CVE-2025-20362 allows unauthorized access to restricted URLs with specially crafted HTTP requests by bypassing authentication on affected web services.

The purpose of the attackers is not clear, but such “implants” can help compromise networks for surveillance and theft of sensitive data stored on systems that make use of such equipment, according to CISA. CISA warned that attackers could leverage the vulnerabilities to install changes that persist between software upgrades and reboots in what would appear to be sophisticated attacks on network-edge gear. Persistence has been seen on some older stand-alone firewalls in the ASA5500-X Series running affected builds. In addition to the zero-days, Cisco released patches for CVE-2025-20363, a vulnerability that impacts the same software family but hasn’t been exploited in the wild, according to the company.

Why This Campaign Matters for Network Security

Firewalls serve as the gatekeepers of modern networks. Compromise at this stratum provides attackers with a rich tactical advantage: they can observe, reroute or decode traffic; steal credentials; and further pivot with low signature. An auth bypass with a path to device takeover is such a terrible combination because it allows “from my keyboard” operation without having a valid login, and has enough scope to hide activity behind trusted infrastructure.

The emergency directive from CISA is a sign that the operational risk goes beyond those one-off occurrences. The incident response firm defending CapitalBreach says it’s responding to attacks against organizations in the U.S. critical infrastructure, and could affect operational technology networks and high-value government or enterprise asset environments that rely on Cisco ASA and Firepower Threat Defense for perimeter security.

Both CISA and Cisco believe this recent significant cyber-exploitation has technical overlap with the previously reported ArcaneDoor campaign.

The ArcaneDoor campaign is a 2020 stealthy implant and living-off-the-land attack that targeted Cisco security devices such as firewalls. At the time, industry reporting pointed to a likely state-backed adversary. The tradecraft remains the same: discreet initial access at the edge, robust persistence and strategic staging to outlive routine maintenance cycles.

Newly exploited flaws may have been in play for months before detection, according to investigators in both cases—a dynamic typical in appliance-driven breaches whereby limited endpoint visibility and weak logging can slow early discovery.

Who Is at Risk, and What to Look For on Devices

Organizations that place device management interfaces or web-based VPN access on the internet are more vulnerable.

This exposure is especially high for older ASA 5500-X devices running susceptible ASA/FTD software. The most at risk is environments using default configurations or that allow HTTPS/ASDM to be exposed from low-trust networks.

Diagram illustrating a Cisco switch with various devices connected, including the internet , a management center, a printer , laptops, a VoIP phone, and a wireless router, detailing port types and management options .

Some red flags could come in the form of:

  • Local admin accounts that are unexpected
  • Startup configurations being out of place without explanation
  • Web assets on the device that have been altered or are simply unknown
  • Odd management logins
  • Outbound connections from your corporate firewall to hosts you don’t recognize

Unfortunately, such a “patch and move on” strategy is inadequate, as attackers can install changes that survive updates and which require a comprehensive compromise analysis.

Immediate Actions for Defenders to Reduce Risk

CISA’s directive orders affected federal agencies to patch or disconnect the vulnerable devices, and private-sector defenders should do so as well. Apply Cisco’s available patches for CVE-2025-20362, CVE-2025-20333 and CVE-2025-20363. If patching is not possible, isolate from the internet, limit management to specific internal segments and apply strict ACLs for administrative access.

Hunt for what’s persistent post and then patch:

  • Validate user accounts and roles
  • Diff running versus startup configs
  • Check WebVPN customizations you weren’t expecting / knew about
  • Rotate creds and certs
  • Peer at management/VPN logs for weirdness

If compromise is suspected, perform a clean rebuild—reimage an appliance, load a known-good configuration and rotate secrets—instead of just an in-place upgrade.

A Pattern Increasing at the Network Edge Devices

That campaign is part of a trend toward attackers targeting edge appliances from various vendors, similar to campaigns that have targeted SSL VPNs and enterprise gateways in the past. Recommendations from national cyber authorities have also repeatedly included advice for hardening network infrastructure: disable non-critical services, reduce visibility of management interfaces to the public, ensure logging and monitoring is in place and up to date, etc.

The lesson: security appliances should be treated as high-value endpoints — not just pass-through gear. Perimeter defense-in-depth:

  • Segmented admin
  • Split MFA effort for admin and VPN access
  • Periodic config sanity audits

Leakage is not ideal when ZDs drop, but it does at least reduce blast radius quite a bit.

The Bottom Line on Cisco Zero-Day Firewall Exploits

Cisco’s advisories and CISA’s emergency directive telling government agencies to get the fix in eight days tell a story of a capable adversary using fresh flaws to take over widely deployed firewalls with persistence. Patch as soon as you can, hunt for evidence of exploitation even if there are no alerts and assume that persistent implants might also live to see another round of basic remediation. It’s an issue where speed is important, but verification matters more.

Exit mobile version