Cisco’s Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS
Summary
CISA has issued an Emergency Directive warning of an ongoing campaign exploiting multiple Cisco zero-day vulnerabilities in Adaptive Security Appliances (ASA) and IOS/IOS XE. The activity, tied to the same APT linked to the 2024 ArcaneDoor attacks, enables unauthenticated remote code execution and ROM manipulation to persist through reboots. The UK NCSC reports implanted malware families RayInitiator and LINE VIPER in compromised devices. Cisco additionally disclosed a separate SNMP-related zero day in IOS/IOS XE that allows authenticated RCE or denial of service.
The high-severity ASA bugs include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20363 (CVSS 9.0), plus a privilege-escalation issue CVE-2025-20362 (CVSS 6.5). Cisco also flagged CVE-2025-20352 (CVSS 7.7) impacting SNMP on IOS/IOS XE and some Meraki/Catalyst devices. CISA ordered federal agencies to disconnect or upgrade end-of-support devices immediately, highlighting the urgent, widespread risk.
Key Points
- Active campaign exploits multiple Cisco zero days against ASA firewalls and some Firepower models, enabling unauthenticated RCE and ROM persistence.
- CISA links the activity to the ArcaneDoor-related APT; NCSC observed RayInitiator and LINE VIPER malware on affected devices.
- Critical CVEs: CVE-2025-20333 (9.9), CVE-2025-20363 (9.0); medium privilege escalation CVE-2025-20362 (6.5).
- Separate IOS/IOS XE SNMP zero day CVE-2025-20352 (7.7) allows authenticated root-level RCE or DoS if SNMP is enabled and credentials are available.
- Affected hardware includes many ASA 5500-X series models (5512-X through 5585-X) running specific ASA releases without Secure Boot/Trust Anchor; some devices are end of life.
- CISA mandated federal remediation by 11:59 PM EST, 26 September 2025; organisations should prioritise patching, upgrades, or disconnecting vulnerable kit.
- Mass exploitation is feasible because Cisco gear is ubiquitous, often internet-exposed, and hard to patch due to uptime/change-control constraints.
Why should I read this?
Short version: if you run Cisco kit, this is a red-alert moment. These bugs let attackers get deep access, stick around across reboots, and slurp data — and plenty of affected models are still widely deployed. We’ve done the reading so you know to triage SNMP settings, check ASA/Firepower firmware, and prioritise immediate upgrades or mitigations. Don’t wait for a breach to force your hand.