Full Report
Bill Cassidy letter asks if Switchzilla sat on critical flaws before feds were forced into emergency patching US Senator Bill Cassidy has fired off a pointed letter to Cisco over the firewall flaws that allegedly let hackers breach "at least one federal agency."…
Analysis Summary
# Vulnerability: Cisco ASA/FTD Firewall Flaws Exploited by Threat Actors
## CVE Details
- CVE ID: CVE-2025-20333, CVE-2025-20362 (Identified, specific scores not provided in the text)
- CVSS Score: Unknown (Described as "critical")
- CWE: Not specified
## Affected Systems
- Products: Cisco Adaptive Security Appliance (ASA), Cisco Firepower Threat Defense (FTD) devices.
- Versions: Specific vulnerable versions are not detailed in the text, but the issue prompted emergency patching.
- Configurations: Devices running the affected software/firmware.
## Vulnerability Description
Two critical flaws in Cisco ASA and FTD devices have been exploited by threat actors, allegedly leading to breaches at "at least one federal agency." The exploitation allowed attackers (linked to the ArcaneDoor campaign and threat group "UAT4356") to compromise systems, "dropping implants, running commands, and siphoning data."
## Exploitation
- Status: Exploited in the wild (Confirmed by Cisco and CISA, dating back to as early as May).
- Complexity: Implied to be exploitable by sophisticated state-affiliated actors; specifics on public proof-of-concept (PoC) are not given.
- Attack Vector: Likely Network due to the nature of firewall vulnerabilities, allowing initial access leading to remote command execution and data exfiltration.
## Impact
- Confidentiality: High (Data siphoning confirmed).
- Integrity: High (Ability to run commands and drop implants).
- Availability: Potential impact due to presence of implants and compromise state.
## Remediation
### Patches
- Patches are available, as CISA mandated emergency patching within 24 hours. Specific patch versions are not listed in the source text. Cisco released fixes prior to the Senate inquiry.
### Workarounds
- Agencies were directed to check logs for compromise and apply fixes.
- Devices hitting End-of-Support (EoS) were specifically directed to be removed entirely.
## Detection
- Detection methods suggested by CISA included checking logs for signs of compromise related to the exploitation of these specific vulnerabilities.
- Attackers were observed "dropping implants, running commands, and siphoning data," which should serve as Indicators of Compromise (IoCs).
## References
- Senator Cassidy Letter: hxxps://www.help.senate.gov/imo/media/doc/bc_letter_to_cisco_on_cybersecurity.pdf
- Vendor/CISA Advisories: Implied through the emergency mandate by CISA and Cisco's admission of prior exploitation.