The US cybersecurity agency CISA has issued a fresh warning on addressing two Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) vulnerabilities exploited in the China-linked ArcaneDoor espionage campaign.
The two bugs, tracked as CVE-2025-20333 and CVE-2025-20362, were discovered in May, after being exploited as zero-days in attacks against government organizations.
As part of the attacks, the threat actor exploited the flaws to deploy malware, execute commands on vulnerable appliances, and likely exfiltrate data.
Impacting the VPN web server of ASA and FTD software, the issues allow attackers to send crafted requests and execute arbitrary code with root privileges, or access a restricted URL without authentication.
Cisco patched the two security defects on September 25, and warned on November 6 that a new variant of the attack causes devices to reload, leading to denial-of-service (DoS).
On September 25, CISA issued Emergency Directive 25-03 (ED 25-03), urging federal agencies to identify within their environments Cisco devices running vulnerable ASA and FTD software versions and immediately apply the patches.
“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service,” ED 25-03 mandates.
Federal agencies were also required to report to CISA by October 2 a complete inventory of the identified devices, as well as on the actions taken. Some agencies, however, failed to properly patch their appliances, the agency now says.
“CISA identified, through analysis of agency reported data, instances of agencies marking devices as ‘patched’, but which agencies updated to a version of the software that is still vulnerable to the threat activity outlined in the ED,” a November 12 ED 25-03 update reads.
Because some federal agencies could not find the latest software iterations for the affected Cisco devices, CISA has published a list of minimum versions that contain fixes for both CVE-2025-20333 and CVE-2025-20362, as well as fresh guidance on addressing the bugs.
“For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow [the] guidance,” CISA notes.
Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Related: Cisco Patches Critical Vulnerabilities in Contact Center Appliance
Related: China’s Cyber Silence Is More Worrying Than Russia’s Noise, Chief Cybersecurity Strategist Says
