- Knowledge base
- Security updates
-
Security updates
-
Product news
-
Next-Gen Vulnerability Management
-
Getting started
-
General
-
Operating status
-
System & Network Security
-
Web Application Security
-
Cloud Security
-
API Security
-
Phishing Simulation & Awareness Training
-
Attack Surface Management
-
Scanner Appliance
-
Device Agent
-
On-premise platform deployment
-
Asset management
-
Vulnerability Manager
-
Reports
-
Digest reports
-
Organizer
-
Continuous monitoring
-
Integrations
-
Platform API
-
Remediation
-
Users
-
PCI DSS ASV scans
-
Partner Portal
-
Terms & conditions
-
Dashboard
Actively exploited: Cisco ASA and FTD hit via two zero-day flaws
Cisco has warned of two critical vulnerabilities affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, both already exploited in the wild.
How the vulnerability works
The first flaw, tracked as CVE-2025-20333 (CVSS score: 9.9), is an input validation bug in HTTP(S) requests. It allows a remote authenticated attacker with valid VPN credentials to execute arbitrary code as root by sending specially crafted HTTP requests.
The second, CVE-2025-20362 (CVSS score: 6.5), stems from the same input validation issue but can be abused without authentication. Attackers can access restricted URL endpoints simply by sending crafted requests, bypassing security controls.
Why this is so dangerous
Cisco has acknowledged “attempted exploitation” of both vulnerabilities and suspects they may be chained together to bypass authentication and execute malicious code on affected appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaws to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive requiring federal agencies to apply mitigations within 24 hours.
The attacks are linked to the threat cluster ArcaneDoor, previously tied to campaigns targeting network devices from multiple vendors. CISA notes that attackers are also attempting to manipulate the devices’ read-only memory to persist across reboots and upgrades.
Mitigation and next steps
Cisco has released software updates addressing both flaws and urged customers to patch immediately.
To address CVE-2025-20333 on Cisco ASA, update to:
- 9.16.4.85
- 9.17.1.45
- 9.18.4.47
- 9.19.1.37
- 9.20.3.7
- 9.22.1.3
To address CVE-2025-20362 on Cisco ASA, update to:
- 9.16.4.85
- 9.18.4.67
- 9.20.4.10
- 9.22.2.14
- 9.23.1.19
On Cisco FTD, both CVEs can be addressed by updating to versions 7.0.8.1, 7.4.2.4, or 7.6.1.
Holm Security's response
Holm Security has released the following plugins to scan for these vulnerabilities:
- HID-2-1-5379978
Cisco Adaptive Security Appliance Software Remote Code Execution Vulnerability (CVE-2025-20333) - HID-2-1-5379867
Cisco Adaptive Security Appliance Software Unauthorized Access Vulnerability (CVE-2025-20362) - HID-2-1-5379979
Cisco Firepower Threat Defense Software Remote Code Execution Vulnerability (CVE-2025-20333) - HID-2-1-5379970
Cisco Firepower Threat Defense Software Unauthorized Access Vulnerability (CVE-2025-20362)
How to scan for specific vulnerabilities
Read how you can include or exclude a specific vulnerability in a scan profile here.