Full Report
Cisco published advisories and a supplemental post about three zero-day vulnerabilities, two of which were exploited in the wild by an advanced threat actor associated with the ArcaneDoor campaign.Update September 25: This FAQ blog has been updated to include a reference to an NCSC report on associated malware linked to this campaign.View Change LogBackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding newly disclosed zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software that were exploited.FAQWhen were these vulnerabilities first disclosed?On September 25, Cisco published advisories [1, 2, 3] and a supplemental post regarding three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software, Firewall Threat Defense (FTD) Software, IOS XE Software, and IOS XR Software.What are the vulnerabilities that were disclosed?The following three vulnerabilities were disclosed. Two (CVE-2025-20333, CVE-2025-20362) were exploited in the wild.CVEDescriptionCVSSv3ExploitedCVE-2025-20333Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE)9.9YesCVE-2025-20362Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability6.5YesCVE-2025-20363Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services RCE9.0NoWere these vulnerabilities exploited as zero-days?Yes, according to Cisco, CVE-2025-20333 and CVE-2025-20362 were exploited in the wild as zero-days. Both of these vulnerabilities, when chained together, allow an attacker to take over a vulnerable device.Which threat actors are exploiting these vulnerabilities?According to Cisco, the malicious activity associated with CVE-2025-20333 and CVE-2025-20362 is linked to UAT4356, also known as Storm-1849, the same threat actor behind the ArcaneDoor campaign from April 2024.Did UAT4356/Storm-1849 exploit any vulnerabilities in the ArcaneDoor campaign?Yes, UAT4356 leveraged two vulnerabilities in the ArcaneDoor campaign:CVE-2024-20353Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service VulnerabilityCampaignArcaneDoorThreat ActorsUAT4356 STORM-1849Associated MalwareLINE DANCER LINE RUNNERSource: talosintelligence.comCVE-2024-20359Cisco ASA and FTD Software Persistent Local Code Execution VulnerabilityCampaignArcaneDoorThreat ActorsUAT4356 STORM-1849Associated MalwareLINE DANCER LINE RUNNERSource: talosintelligence.comWas any malware used by UAT4356/Storm-1849 in this recent campaign?The National Cyber Security Centre (NCSC) published an alert and a malware analysis report (MAR) detailing two pieces of malware associated with this campaign. The first malware, RayInitiator, is a multi-stage bootkit designed for persistence even if a device is rebooted or upgraded. The second malware, LINE VIPER, is a user-mode shellcode loader that deploys modular payloads to enable various post-compromise activities. It can be tasked and controlled through either HTTPS-based WebVPN sessions or ICMP.Is there a proof-of-concept (PoC) available for these vulnerabilities?At the time this blog was published, there were no public proof-of-concept (PoC) exploits for any of the vulnerabilities associated with this campaign.Cisco also patched CVE-2025-20363. Was this also exploited in the wild?No. Cisco did not specifically call out CVE-2025-20363 as being exploited in the wild. According to the advisory, Cisco says it was found by members of Cisco’s Advanced Security Initiatives Group (ASIG) as part of a support case.Are patches or mitigations available for CVE-2025-20333, CVE-2025-20362, CVE-2025-20363?Yes, Cisco has released the following fixes for Cisco ASA and FTD.CVEAffected ProductAffected VersionsFixed VersionCVE-2025-20333Cisco ASA Software9.16, 9.17, 9.18, 9.19, 9.20, 9.229.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3CVE-2025-20333Cisco FTD Software7.0, 7.2, 7.4, 7.67.0.8.1, 7.2.9, 7.4.2.4, 7.6.1CVE-2025-20363Cisco ASA Software9.16, 9.18, 9.19, 9.20, 9.22, 9.239.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, 9.23.1.3CVE-2025-20363Cisco FTD Software7.0, 7.2, 7.4, 7.6, 7.77.0.8, 7.2.10, 7.4.2.3, 7.6.1, 7.7.10CVE-2025-20362Cisco ASA Software9.16, 9.18, 9.20, 9.22, 9.239.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19CVE-2025-20362Cisco FTD Software7.0, 7.2, 7.4, 7.6, 7.77.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, 7.7.10.1Cisco ASA Software:Cisco customers on the 9.17 branch must migrate to a fixed release to address CVE-2025-20363Cisco customers on the 9.17 and 9.19 branches must migrate to a fixed release to address CVE-2025-20362.Cisco FTD Software:Cisco customers on the 7.1 and 7.3 branches must migrate to a fixed release to address all three vulnerabilities.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-20333CVE-2025-20362CVE-2025-20363This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Cisco devices by using the following query:Change LogUpdate September 25: This FAQ blog has been updated to include a reference to an NCSC report on associated malware linked to this campaign.Get more informationCisco Event Response: Continued Attacks Against Cisco FirewallsArcaneDoor - New espionage-focused campaign found targeting perimeter network devicesCVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoorJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Cisco ASA/FTD Zero-Days Exploited in the Wild (CVE-2025-20333, CVE-2025-20362)
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362 (Note: The text also mentions CVE-2025-20363, but focuses on the first two being zero-days, implying it should be referenced.)
- CVSS Score: Not explicitly provided in the summary text.
- CWE: Not explicitly provided in the summary text.
## Affected Systems
- Products: Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software.
- Versions: Specific vulnerable versions are not detailed in this excerpt but are implied to be actively targeted.
- Configurations: The context relates to perimeter network devices being targeted in an espionage campaign ("ArcaneDoor").
## Vulnerability Description
The document refers to two specific vulnerabilities (CVE-2025-20333 and CVE-2025-20362) affecting Cisco ASA and FTD devices that have been exploited as zero-days in an espionage-focused campaign named "ArcaneDoor." Technical details of the flaws are not provided in this summary excerpt, but they are severe enough to prompt immediate vendor advisories and threat actor exploitation.
## Exploitation
- Status: Exploited in the wild (part of the "ArcaneDoor" espionage campaign).
- Complexity: Implied to be low enough for active exploitation by threat actors.
- Attack Vector: Network (targeting perimeter network devices).
## Impact
Impact levels (Confidentiality, Integrity, Availability) are not explicitly scored, but exploitation of perimeter devices in an espionage campaign suggests severe compromise across all three domains (access, data exfiltration, and potential denial of service).
## Remediation
### Patches
- No explicit patch versions are listed in this specific excerpt. Users must consult the official Cisco advisories for specific fixed versions.
- Related CVE Plugins are available on Tenable platforms:
- [CVE-2025-20333](https://www.tenable.com/cve/CVE-2025-20333/plugins)
- [CVE-2025-20362](https://www.tenable.com/cve/CVE-2025-20362/plugins)
- [CVE-2025-20363](https://www.tenable.com/cve/CVE-2025-20363/plugins)
### Workarounds
- No specific workarounds are detailed in this excerpt, though consulting vendor advisories is the implied first step for immediate mitigation if patches are unavailable.
## Detection
- Detection tools include the Tenable One Exposure Management Platform, which can be used to identify public-facing Cisco devices via a specific query.
- Tenable has released or is releasing plugins for detection on their platforms.
- Contextual awareness: An NCSC report on associated malware linked to this campaign is available for reference.
## References
- Vendor Advisories: Implied necessary consultation (Cisco advisories).
- Relevant links:
- Talos Intelligence Report on exploitation: blog dot talosintelligence dot com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- Tenable Plugin Information for CVE-2025-20333: hxxps://www.tenable.com/cve/CVE-2025-20333/plugins
- Tenable Plugin Information for CVE-2025-20362: hxxps://www.tenable.com/cve/CVE-2025-20362/plugins
- Tenable Plugin Information for CVE-2025-20363: hxxps://www.tenable.com/cve/CVE-2025-20363/plugins