Cisco ASA and FTD VPN flaws patched and confirmed exploited

* This article was updated on September 26 to add a third vulnerability, CVE-2025-20363, patched by Cisco.

On September 25, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 on two Cisco firewall vulnerabilities, noting that they have been actively exploited as zero-days.

Cisco published advisories for these vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, on the same day. Another critical vulnerability, CVE-2025-20363, received a patch with no public reports on exploitation noted. 

• CVE-2025-20333 is a critical remote code execution vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.9. It allows an authenticated attacker with VPN credentials to execute code as root via malicious HTTPS requests.
• CVE-2025-20362 is a medium-severity flaw rated 6.5, enabling unauthenticated access to restricted URLs due to improper input validation. Cisco confirmed exploitation in the wild and linked the activity to the ArcaneDoor campaign, which has previously targeted government networks using advanced persistence techniques such as ROMMON modification.
• CVE-2025-20363 is a critical issue caused by improper validation of user-supplied input in HTTP requests. It could be exploited by sending malicious HTTP requests to a targeted web service on an affected device. A successful exploit could result in execution of malicious code as root, which may lead to the complete compromise of the affected device. CVSS v3.1 base score: 9.0. 

The vulnerabilities affect Cisco Secure Firewall ASA and FTD software with SSL VPN or AnyConnect running vulnerable configurations and with VPN services.

Cisco’s Product Security Incident Response Team identified the flaws during a support case investigation, with assistance from multiple national cybersecurity agencies, and released fixed software for ASA and FTD platforms. No workarounds are available.

Proof-of-concept (POC) exploit code has not been publicly disclosed, but Cisco also confirmed active exploitation prior to patch release. Attackers have demonstrated capabilities to disable logging, intercept command-line interface commands, and crash devices to evade detection.

In some cases, ROMMON was modified to persist across reboots and upgrades. The worst-case scenario for CVE-2025-20333 is full device compromise with root access, while CVE-2025-20362 could allow lateral movement or reconnaissance without authentication.

Analyst insight

Organizations should immediately upgrade to the patched versions and verify that VPN services are properly configured by referring to the Cisco Secure Firewall ASA Software Vulnerable Configurations section in the Cisco advisory. Devices nearing end-of-support should be disconnected. Agencies and enterprises should also perform forensic analysis using Cisco and CISA-provided tools to detect compromise and assess persistence mechanisms.

Threat detection configurations for VPN services should be reviewed and hardened. Patching for clients with public-facing Cisco VPN infrastructure should be prioritized; ensuring that logging and monitoring are operational. Given the nature of the exploit chain and its use in targeted campaigns, rapid response and full remediation are essential to prevent further compromise.