""In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled,""
""Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis.""
""CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service," the agency said."
Two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, affect Cisco ASA 5500-X Series devices running ASA and Firewall Threat Defense software. CVE-2025-20333 permits authenticated attackers to execute arbitrary code, while CVE-2025-20362 allows access to restricted URL endpoints without authentication. Exploitation has enabled attackers to install malware, run commands, and exfiltrate data using evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices. The campaign is widespread and linked to ArcaneDoor activity, delivering malware strains like Line Runner and Line Dancer. Agencies are advised to collect forensics, account for devices, disconnect end-of-support systems, and upgrade affected devices.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]