Home / Cisco / cybersecurity / Network security / secuirty / vulnerability / Vulnerability assessment / Security : Zero-Day Vulnerabilities Impacting Cisco Software - ASA & FTD

Security : Zero-Day Vulnerabilities Impacting Cisco Software - ASA & FTD

September 30, 2025 , , , , ,

Security : Zero-Day Vulnerabilities Impacting Cisco Software - ASA & FTD

Security : Zero-Day Vulnerabilities Impacting Cisco Software - ASA & FTD


Cisco has revealed that a highly advanced state-sponsored threat actor is actively exploiting multiple zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Cisco associates this actor with a prior campaign known as ArcaneDoor.

This threat actor mainly focuses on government networks worldwide to steal data. Cisco has detected the exploitation of these recently identified zero-day vulnerabilities, combined with sophisticated evasion techniques aimed at avoiding detection and logging.

The trend of suspected nation-state actors exploiting zero-day vulnerabilities in internet-facing devices continues. These perimeter devices, such as firewalls, VPN gateways, routers, and load balancers, act as the security barrier between an organization’s internal network and the internet. Breaching these devices provides a direct and often stealthy entry point into the network.

Information Regarding the Vulnerabilities

Cisco has released advisories for three critical vulnerabilities affecting ASA and FTD devices. Two of these, CVE-2025-20333 and CVE-2025-20362, are actively being exploited by attackers in the wild. Additionally, Cisco has identified a third vulnerability, CVE-2025-20363, which is considered at high risk for imminent exploitation. These flaws enable attackers to execute arbitrary code, steal data, and install persistent malware that can survive device reboots.

Security : Zero-Day Vulnerabilities Impacting Cisco Software - ASA & FTD


As of September 25, 2025, Cisco has issued software updates to remediate all three identified vulnerabilities. Organizations are strongly advised to prioritize the immediate installation of these updates on all affected systems to reduce the risk of exploitation and safeguard their networks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Emergency Directive (ED) 25-03, requiring federal agencies to implement urgent mitigation measures in response to the significant threat posed by this campaign. These vulnerabilities impact critical perimeter network devices, creating considerable risk for both public and private sector entities.

Meanwhile, the U.K.’s National Cyber Security Center (NCSC) published a malware analysis report [PDF] detailing the RayInitiator and LINE VIPER malware families exploited in attacks targeting these zero-day flaws. Their analysis describes RayInitiator as a multi-stage Grand Unified Bootloader (GRUB) bootkit responsible for managing reboots and firmware updates. It also deploys the LINE VIPER shellcode loader on Cisco ASA 5500-X series devices lacking secure boot. LINE VIPER operates in memory, receiving command and control instructions either through WebVPN client authentication sessions over HTTPS or via ICMP with responses transmitted over raw TCP.