APT Campaign Exploits Cisco ASA Zero-Days: Persistent Threats to Government Devices in 2025
Executive Summary
In September 2025, U.S. federal agencies were ordered by CISA to urgently patch Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices after two critical zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362) were exploited by the APT group UAT4356 (STORM-1849). Attackers achieved unauthenticated remote code execution and persistent control by manipulating device ROMMON, deploying malware such as LINE VIPER and the RayInitiator bootkit to facilitate malware implants, command execution, and possible data exfiltration. The campaign, linked to the larger ArcaneDoor operation, threatened essential government and global infrastructure by allowing full device compromise, evasion of detection, and resistance to conventional remediation steps.
This incident highlights an escalating trend in sophisticated, state-linked attacks targeting edge infrastructure, often leveraging supply-chain weaknesses and persistent malware able to survive reboots and firmware updates. It also underscores renewed regulatory pressure for timely vulnerability mitigation and increased focus on Zero Trust architectures for critical sectors.
Why This Matters Now
These attacks demonstrate how nation-state actors are aggressively targeting network edge devices with zero-day exploits that grant persistent, stealthy access, bypassing traditional security controls. Immediate remediation is crucial because unpatched ASA and Firepower devices can serve as gateways for deep, ongoing infiltration, jeopardizing sensitive data and critical government operations.
Attack Path Analysis
Attackers exploited zero-day vulnerabilities in Cisco ASA/FTD devices to remotely gain initial access and implant persistent malware. They escalated privileges by modifying ROMMON for persistence, then traversed internal network boundaries, likely seeking additional footholds or sensitive resources. The threat actors established command and control using custom implants while evading detection by disabling logs and manipulating device functions. Data exfiltration was possible via covert channels through compromised appliances. Finally, impact was sustained by malware persistence across reboots and upgrades, increasing disruption and expanding threat exposure.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unpatched zero-day flaws (CVE-2025-20333 and CVE-2025-20362) on exposed Cisco ASA/FTD firewalls to achieve unauthenticated remote code execution and deploy initial malware.
Related CVEs
CVE-2025-20333
CVSS 9.9A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19
Cisco Secure Firewall Threat Defense (FTD) Software – 6.2.3.19, 6.4.0.15, 6.6.5.2, 7.0.1.1, 7.1.0.1
Exploit Status:
exploited in the wildCVE-2025-20362
CVSS 6.5A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software could allow an unauthenticated, remote attacker to access restricted URL endpoints related to remote access VPN.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19
Cisco Secure Firewall Threat Defense (FTD) Software – 6.2.3.19, 6.4.0.15, 6.6.5.2, 7.0.1.1, 7.1.0.1
Exploit Status:
exploited in the wildCVE-2025-20363
CVSS 9A vulnerability in the web services of Cisco Secure Firewall ASA, FTD, IOS, IOS XE, and IOS XR Software could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19
Cisco Secure Firewall Threat Defense (FTD) Software – 6.2.3.19, 6.4.0.15, 6.6.5.2, 7.0.1.1, 7.1.0.1
Cisco IOS Software – 15.2(4)M9, 15.4(3)M10, 15.5(3)M8
Cisco IOS XE Software – 16.9.5, 16.12.3, 17.3.1
Cisco IOS XR Software – 6.5.3, 7.0.2, 7.1.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Hardware Additions
Boot or Logon Autostart Execution: Bootkit
Ingress Tool Transfer
Impair Defenses: Disable or Modify Tools
Indicator Removal: File Deletion
Obfuscated Files or Information
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Software
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Continuous Device Monitoring and Patching
Control ID: Device: Monitoring and Patch Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA emergency directive targeting federal agencies using Cisco ASA/FTD devices creates immediate compliance requirements and operational disruption risks.
Computer/Network Security
ArcaneDoor APT campaign exploiting Cisco zero-days directly impacts security infrastructure providers and their client protection capabilities nationwide.
Financial Services
Critical firewall vulnerabilities threaten encrypted traffic protection and zero trust segmentation required for HIPAA and PCI compliance frameworks.
Health Care / Life Sciences
Zero-day exploits compromising network security appliances violate HIPAA encryption requirements and enable potential healthcare data exfiltration attacks.
Sources
- CISA orders agencies to patch Cisco flaws exploited in zero-day attackshttps://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-cisco-flaws-exploited-in-zero-day-attacks/Verified
- Cisco Event Response: Continued Attacks Against Cisco Firewallshttps://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacksVerified
- Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUBVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust segmentation, inline threat detection, encrypted east-west and egress traffic controls, and centralized visibility would have limited or prevented exploit-driven compromise, impeded attacker lateral movement, and enabled faster detection and remediation at each stage.
Control: Cloud Firewall (ACF)
Mitigation: Inbound exploit traffic would be inspected and blocked at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalations and device reconfigurations would trigger immediate alerts.
Control: Zero Trust Segmentation
Mitigation: Segmentation blocks horizontal movement from management networks to production services.
Control: Inline IPS (Suricata)
Mitigation: Malicious C2 communications are detected and disrupted in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data egress attempts are prevented and/or logged.
Rapid detection and isolation of compromised assets limits downstream business impact.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access VPN Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive network configurations and user credentials due to exploitation of the vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Patch all perimeter and infrastructure devices promptly to mitigate zero-day exposure.
- • Enforce Zero Trust Segmentation between device management, user, and production environments to contain breaches.
- • Deploy inline IPS, anomaly detection, and egress controls to block exploit, lateral, C2, and exfiltration activity.
- • Centralize multicloud visibility, auditing, and asset inventory for rapid detection and remediation of suspicious activity.
- • Regularly review device and workload configurations for integrity, and enforce encryption of traffic both in transit and east-west.
