Full Report
Cisco has reported exploitation in the wild of two 0-day vulnerabilities affecting Cisco Adaptive Security Appliance (ASA), CVE-2025-20333 and CVE-2025-20362, allowing RCE and local privilege escalation, respectively. NCSC and CISA have corroborated these reports, noting the u...
Analysis Summary
As a vulnerability research specialist, here is the summary of the reported Cisco ASA 0-day vulnerabilities:
# Vulnerability: ArcaneDoor Exploitation of Cisco ASA 0-Days
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362
- CVSS Score: Not specified in the provided text. (Requires external lookup for accurate scoring/severity).
- CWE: Not specified in the provided text.
## Affected Systems
- Products: Cisco Adaptive Security Appliance (ASA)
- Versions: Not specified in the provided text.
- Configurations: Not specified in the provided text.
## Vulnerability Description
The campaign exploits two separate 0-day vulnerabilities in Cisco ASA devices:
1. **CVE-2025-20333:** Allows for Remote Code Execution (RCE).
2. **CVE-2025-20362:** Allows for Local Privilege Escalation (LPE).
## Exploitation
- Status: Exploited in the wild (Corroborated by NCSC and CISA).
- Complexity: Implied to be significant, as two distinct 0-days are chained.
- Attack Vector: Attack chain likely begins with network-based exploitation (RCE), followed by local escalation.
## Impact
- Confidentiality: High (Due to RCE and subsequent data exfiltration mentioned in the campaign description).
- Integrity: High (Due to RCE and potential for system modification).
- Availability: Potential (If the RCE leads to full device compromise or denial of service).
## Remediation
### Patches
- Specific patch versions are **not listed** in the provided context, but immediate patching is required based on the CISA/NCSC corroboration and the September 26, 2025 remediation deadline for US federal agencies.
### Workarounds
- Temporary mitigations are **not listed** in the provided context.
## Detection
- Observed Malware: RayInitiator & LINE VIPER.
- Associated Campaign: Renewed "ArcaneDoor" Campaign (Attributed to threat actors active in early 2024).
- Indicators of Compromise: Look for associated network traffic or file artifacts related to RayInitiator and LINE VIPER post-exploitation.
## References
- Vendor Advisories: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
- Relevant Links: CISA and NCSC advisories corroborate exploitation.