- CISA warns of active exploitation of two critical Cisco vulnerabilities
- Attackers modify ROM to persist across reboots; linked to state-sponsored group ArcaneDoor
- Agencies must patch, analyze, and report Cisco device status by October 2, 2025
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging government agencies to address two worrying Cisco security vulnerabilities, warning threat actors are actively exploiting the flaws.
As per Emergency Directive 25-03, published on September 25, 2025, CISA said there is a “widespread” attack campaign targeting Cisco Adaptive Appliances and Firepower firewall devices.
In the campaign, the attackers are modifying read-only memory (ROM) to persist across reboots and upgrades. To achieve this persistence, threat actors are leveraging two flaws: CVE-2025-20333 (remote code execution), and CVE-2025-20362 (privilege escalation). While the latter has a medium rating (6.3/10), the former is deemed critical, with a 9.9/10 score.
State activity
To make matters worse, Cisco believes the issues two are being exploited by a group tracked as ArcaneDoor (or Storm-1849 by Microsoft).
The cybersecurity community believes ArcaneDoor to be a state-sponsored threat actor, but it is yet unknown which state it belongs to.
“Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024,” CISA said in the report.
Now, federal agencies must act quickly and defend their infrastructure, or risk getting attacked.
That includes running inventory of all Cisco ASA and Firepower devices, running forensic analysis using CISA’s core dump and hunt instructions, disconnecting compromised or end-of-life devices, and applying updates. After that, agencies are ordered to report their findings and inventory back to CISA by October 2, 2025.
In the meantime, both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a three-week deadline (until October 16) to patch up or stop using the vulnerable tools altogether.
CISA did not mention who ArcaneDoor is targeting, but generally speaking, besides government and public sector organizations, Cisco’s ASA and Firepower devices are widely used by enterprises and corporations, managed security service providers, and education & research firms.
