Exploitation of Cisco ASA and FTD Zero-Day Vulnerabilities by Storm-1849
Cisco confirmed that attackers have been actively exploiting two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These vulnerabilities allow attackers to execute arbitrary code as root and access restricted URLs without authentication, leading to device reloads and denial-of-service (DoS) conditions. The U.K. National Cyber Security Centre (NCSC) and Cisco have linked these exploits to malware campaigns involving RayInitiator and LINE VIPER, and have urged immediate patching. Security advisories highlight that unpatched devices are at risk of persistent compromise, and recommend comprehensive remediation steps including patching, forensic analysis, and resetting credentials.
Threat intelligence reports attribute the exploitation campaign to the China-linked group Storm-1849 (ArcaneDoor), which targeted U.S. financial institutions, defense contractors, and military organizations throughout October. Despite public disclosure and patch directives from CISA, attacks continued, demonstrating the attackers' operational sophistication and persistence. Experts warn that organizations running unpatched ASA devices should assume compromise and prioritize forensic hunting for ROM-level malware, as well as implement robust monitoring and maintenance practices to mitigate ongoing risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal malware checks and Firepower inventories
CISA, working with the U.K. NCSC, directed federal agencies to verify malware checks on affected Cisco devices by April 24, 2026 and submit Cisco Firepower device inventories by May 1. The advisory warned that persistence may remain even after patching and told agencies not to disconnect affected devices unless instructed by CISA.
CISA confirms FIRESTARTER compromise at U.S. FCEB agency
CISA and the U.K. NCSC reported that APT actors used the FIRESTARTER backdoor on publicly exposed Cisco Firepower and Secure Firewall ASA/FTD devices after exploiting CVE-2025-20333 and/or CVE-2025-20362. CISA said it observed a successful implant in the wild on a Cisco Firepower device at a U.S. FCEB agency and warned the malware can survive firmware updates and patching, requiring deeper remediation than patching alone.
Talos identifies FIRESTARTER backdoor in ArcaneDoor Firepower attacks
Cisco Talos reported that UAT-4356/ArcaneDoor continued targeting Cisco Firepower devices running FXOS using CVE-2025-20333 and CVE-2025-20362, deploying a custom backdoor called FIRESTARTER. Talos said the implant enables remote access and arbitrary code execution in the LINA process, overlaps technically with RayInitiator Stage 3 shellcode, and uses transient persistence removable by hard reboot.
Cisco warns of evolved persistence mechanism on ASA and FTD devices
Cisco published a new security advisory describing the continued evolution of the persistence mechanism used against Secure Firewall ASA and FTD devices. The advisory indicates the campaign developed beyond previously disclosed ArcaneDoor persistence techniques and represents a new stage in Cisco's public reporting on the threat.
Cisco releases additional fixes for Unified CCX and ISE flaws
Cisco also patched two critical Unified Contact Center Express vulnerabilities, CVE-2025-20354 and CVE-2025-20358, and a high-severity denial-of-service flaw in Identity Services Engine. The company said it had no evidence these additional vulnerabilities were exploited in the wild and urged customers to update promptly.
Cisco links new firewall activity to ArcaneDoor with high confidence
Cisco assessed with high confidence that the newly observed ASA/FTD attack activity is related to the ArcaneDoor threat actor, also referenced as UAT4356 or Storm-1849 in reporting. Cisco said it had no evidence that other FTD or hardware platforms had been successfully compromised.
Cisco discloses new ASA/FTD attack variant causing device reloads
Cisco announced a new attack variant against vulnerable Secure Firewall ASA and FTD devices using CVE-2025-20333 and CVE-2025-20362. The company warned the activity could trigger unexpected reloads and denial-of-service conditions on unpatched systems and urged upgrades to fixed releases.
Storm-1849 targets Cisco ASA devices throughout October
During October 2025, the China-linked group Storm-1849 targeted vulnerable Cisco ASA firewalls, focusing on U.S. financial institutions, defense contractors, and military organizations. The campaign reportedly paused only during China's Golden Week holiday despite prior patching guidance.
Bootkit persistence and anti-forensics disclosed in Cisco ASA campaign
Reporting on the Cisco zero-day campaign said the suspected China-linked actor deployed a firmware/ROM bootkit on Cisco ASA and Firepower devices, enabling persistence that could survive reboots and even patching. The malware also reportedly included anti-forensic behavior that rebooted devices when analysts used tab-completion for certain CLI commands, complicating investigation and remediation.
CISA orders patching of exploited Cisco firewall flaws
In late September 2025, CISA directed organizations to patch CVE-2025-20333 and CVE-2025-20362 after the vulnerabilities were identified as actively exploited. The flaws were also added to the Known Exploited Vulnerabilities catalog.
U.S. and U.K. agencies link zero-days to RayInitiator and LINE VIPER
Government reporting, including from the U.K. NCSC, said the two Cisco flaws were exploited as zero-days to deploy the RayInitiator and LINE VIPER malware families. The malware enabled persistence, command-and-control, traffic capture, and other post-compromise capabilities on Cisco ASA devices.
ArcaneDoor activity against Cisco ASA begins
Cisco firewall attacks tied to the ArcaneDoor campaign were reported as ongoing since May 2025, involving exploitation of CVE-2025-20333 and CVE-2025-20362 as zero-days. The activity included malware deployment and persistent compromise of affected devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Hackers Exploiting Cisco Firepower Devices’ Using n-day Vulnerabilities to Gain Unauthorized Access
cybersecuritynews.com
Open sourceCISA: Malware attack compromises US agency via Cisco exploit | brief | SC Media
scworld.com
Open sourceCISA Hunts for Cisco Backdoor Spotted on Federal Network
govinfosecurity.com
Open sourceNew Cisco firewall malware can only be killed by pulling the plug - Help Net Security
helpnetsecurity.com
Open sourceCisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362
thehackernews.com
Open sourceCisco security advisory (AV25-726)
cyber.gc.ca
Open sourceChina-linked Storm-1849 spent October targeting Cisco ASA firewalls
scworld.com
Open sourceChina-Nexus Actor Deploys Firmware Bootkit on Cisco ASA Devices - Austin Larsen
austinlarsen.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
Mar 21, 2026
Coordinated Attacks and Zero-Day Exploitation Targeting Cisco, Palo Alto, and Fortinet Network Devices
A coordinated cyberattack campaign has been identified targeting major networking devices from Cisco, Palo Alto Networks, and Fortinet, with evidence suggesting a single threat actor is orchestrating the activity. Security researchers at GreyNoise observed simultaneous scanning of Cisco ASA devices, increased login attempts against Palo Alto Networks portals, and brute-force attacks on Fortinet SSL VPNs, all originating from shared subnets and exhibiting recurring TCP fingerprints. This temporal and infrastructural correlation points to a sophisticated, cross-vendor campaign rather than opportunistic attacks. Experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. The campaign is notable for its focus on high-value targets such as networking devices and VPNs, which serve as critical gateways into enterprise networks and often possess privileged access that can bypass internal security controls. Industries such as manufacturing, industrials, and utilities are particularly at risk due to the potential for operational disruption and rapid financial gain for attackers. Concurrently, Cisco disclosed two zero-day vulnerabilities in its ASA and Secure Firewall Threat Defense software, identified as CVE-2025-20333 and CVE-2025-20362, which are being actively exploited in the wild. CVE-2025-20333 allows authenticated remote code execution due to improper input validation in the VPN web server, potentially granting attackers root-level access. CVE-2025-20362 is an authentication bypass flaw that enables remote attackers to access restricted endpoints without credentials. The combination of these vulnerabilities poses a severe risk, as attackers can gain full control of affected devices. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed ongoing exploitation and is collaborating with government agencies to coordinate a response. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging all federal agencies to immediately mitigate exposure and assess for compromise. Over 90,000 Cisco FTD devices are reportedly exposed, highlighting the scale of the threat. Attackers are conducting large-scale scanning campaigns to identify vulnerable ASA login portals and entry points. Security experts emphasize the urgent need for organizations to inventory their Cisco ASA and FTD devices, apply available patches, and implement recommended mitigations. The campaign’s use of shared infrastructure and advanced automation underscores a shift in attacker methodology toward more efficient and targeted operations. The strategic targeting of network infrastructure devices reflects their critical role in enterprise security and the high impact of successful compromise. Organizations are advised to monitor for signs of compromise, follow vendor and government guidance, and prioritize remediation of affected systems. The ongoing nature of the attacks and the active exploitation of zero-day vulnerabilities make this a critical threat to enterprise and government networks worldwide.
Mar 21, 2026