Cisco firewalls are facing another huge surge of attacks - here's what we know about these latest issues

News
By published

Attackers are updating techniques to hit Cisco firewalls

cisco logo
(Image credit: Shutterstock / Ken Wolter)
  • Attackers exploit two zero-days in Cisco ASA firewalls for remote access and persistence
  • Campaign uses stealth tactics like log disabling and firmware tampering to evade detection
  • Cisco urges upgrades to Secure Boot-enabled models and full resets of compromised devices

Cisco is warning customers of an ongoing campaign against companies using some of its services, having become aware of a “new attack variant” recently.

In a new report, the company said it observed an ongoing campaign targeting Cisco ASA 5500-X Series and Secure Firewall devices. The attackers are exploiting two critical zero-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which could allow them to gain remote access, execute arbitrary code, deploy malware, and sometimes even cause Denial of Service (DoS) reboots on unpatched devices.

The attacks started in May 2025, Cisco explained, and stressed the “new variant” is not a distinct piece of malware, but rather an updated attack technique - essentially, an evolved version of the same activity linked to the ArcaneDoor threat actor from 2024.

Advanced evasion techniques

In these attacks, the threat actors are exploiting VPN web services on older ASA models that lack Secure Boot and Trust Anchor protection, disabling logs and tampering with ROMMON firmware to maintain persistence, even after reboots.

To remain hidden and hinder any forensic investigation, the threat actors used stealth and advanced evasion techniques, Cisco added:

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” Cisco said.

“The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams.”

To mitigate the threat, Cisco advises users to identify affected models and firmware, check if VPN web services are enabled, upgrade to patched versions, or disable SSL/TSL-based VPN web services as a temporary measure, and then reset compromised devices to factory defaults before refreshing passwords, certificates, and keys.

Only older, unsupported ASA 5500-X devices have been confirmed compromised, while newer Secure Boot-enabled firewalls appear resistant, Cisco stressed, urging all customers to upgrade.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.