On September 25, Cisco published two critical advisories regarding CVE-2025-20333 (CVSS 9.9) and CVE-2025-20363 (CVSS 9.0). The vulnerabilities allow remote attackers to execute arbitrary code as root due to improper validation of user-supplied input in HTTP(S) requests. The vulnerabilities affect Cisco Adaptive Security Appliance (ASA), Firewall Threat Defense (FTD), and IOS.

A successful exploitation may lead to complete compromise of the affected device. Active exploitation of these vulnerabilities in targeted attacks has been confirmed. Cisco is attributing it to the threat actor behind ArcaneDoor. Exploitation was first discovered in May 2025, meaning that compromise can go back several months.

Affected organisations are strongly recommended to upgrade to fixed versions of the affected products.

Affected systems

Whether a system is affected or not depends on several factors such as the version, configuration, and presence of Secure Boot and Trust Anchor technologies.

We recommend potentially affected organisations to use the forms published in the Cisco advisories above to search for vulnerabilities that affect a specific software release, and use the Cisco provided tool as a precautionary measure.

Recommendations

mnemonic recommends the following actions to all organisations with affected systems:

• Determine device model and software release
• Review the device configuration
• Remediate vulnerabilities: upgrade (recommended) or mitigate 

mnemonic recommends the following actions to organisations with vulnerable configurations:

• Take a snapshot or make a copy (if possible)
• Recover potentially compromised device
• Perform forensics on snapshot (if compromised)
• Enable external log retention

More details about these steps are outlined in Cisco's Detection Guide for Continued Attacks against Cisco Firewalls by the Threat Actor behind ArcaneDoor and Cisco Event Response: Continued Attacks Against Cisco Firewalls.

Threat Intelligence assessment

Exploitation has already been confirmed in the wild and has been used in targeted attacks to deploy malware on exposed systems. While observed attacks have been limited to Cisco ASA 5500-X Series platforms, which does not support Secure Boot or Trust Anchor mechanisms, the vulnerabilities apply to a wider set of models. 

Because Cisco devices play a central role in secure remote access and networking, these vulnerabilities are likely to attract broad attention from threat actors. Exploit attempts are expected to increase as more details emerge in the coming days. As of yet, we are not aware of any public proof-of-concept code for the vulnerabilities, but this is likely to change with time.

The combination of active in-the-wild exploitation, the likelihood of imminent proof-of-concept release, and the strategic value of Cisco devices to threat actors, underlines the severity of the vulnerabilities.

The UK National Cyber Security centre (NCSC-UK) has published a new analysis of the malware components, dubbed RayInitiator and LINE VIPER, to assist with detection and mitigation.