- Attackers Leverage Two Zero-Days on Cisco ASA Firewalls to Achieve Remote Access and Persistence
- The marketing campaign makes use of stealth techniques corresponding to disabling logs and tampering with firmware to evade detection.
- Cisco Urges Updating Secure Boot Enabled Models and Hard Resetting Compromised Devices
Cisco is warning its prospects about an ongoing marketing campaign in opposition to firms utilizing a few of its companies, after lately changing into conscious of a “new attack variant.”
In a brand new report, the corporate mentioned it noticed an ongoing marketing campaign concentrating on Cisco ASA 5500-X Series and Secure Firewall gadgets. Attackers are exploiting two essential zero-day vulnerabilities, recognized as CVE-2025-20333 and CVE-2025-20362, which may enable them to realize distant entry, execute arbitrary code, deploy malware, and typically even trigger denial of service (DoS) reboots on unpatched gadgets.
The assaults started in May 2025, Cisco defined, emphasizing that the “new variant” will not be a distinct piece of malware, however somewhat an up to date assault method; primarily an advanced model of the identical exercise linked to the 2024 ArcaneDoor risk actor.
Advanced evasion strategies
In these assaults, risk actors are exploiting VPN internet companies on older ASA fashions that lack Secure Boot and Trust Anchor safety, disabling logging and manipulating ROMMON firmware to take care of persistence even after reboots.
To stay hidden and hinder any forensic investigation, risk actors used superior and stealthy evasion strategies, Cisco added:
“The attackers have been noticed to use a number of zero-day vulnerabilities and make use of superior evasion strategies, corresponding to disabling logging, intercepting CLI instructions, and deliberately locking gadgets to bypass diagnostic scanning,” Cisco mentioned.
“The complexity and class of this incident required an in depth, multidisciplinary response from Cisco’s engineering and safety groups.”
To mitigate the risk, Cisco recommends customers establish affected fashions and firmware, test whether or not VPN internet companies are enabled, improve to patched variations or disable SSL/TSL-based VPN internet companies as a short lived measure, after which reset compromised gadgets to manufacturing facility defaults earlier than updating passwords, certificates, and keys.
Only older, unsupported ASA 5500-X gadgets have been confirmed to be compromised, whereas newer Secure Boot-enabled firewalls seem resilient, Cisco emphasised, urging all prospects to improve.
Through The Registry