CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

First reported
Last updated
4 unique sources, 14 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Timeline

  1. 12.11.2025 16:00 2 articles · 1d ago

    Threat actor exploits Citrix Bleed 2 and Cisco ISE zero-days pre-disclosure

    An advanced threat actor exploited **CVE-2025-5777 (Citrix Bleed 2)** in NetScaler ADC and Gateway and **CVE-2025-20337** in Cisco Identity Service Engine (ISE) as zero-days prior to public disclosure. Amazon’s threat intelligence team detected the activity via their MadPot honeypot service, observing exploitation attempts for CVE-2025-5777 before its disclosure in late June 2025. The same actor leveraged CVE-2025-20337—a critical deserialization flaw in Cisco ISE—to deploy a custom web shell named **‘IdentityAuditAction’**, disguised as a legitimate ISE component. The web shell functioned as an **HTTP listener**, used **Java reflection to inject into Tomcat server threads**, and employed **DES encryption with non-standard base64 encoding** to evade detection. Access required knowledge of specific HTTP headers, and the malware left minimal forensic traces. While the tactics demonstrate **advanced knowledge of Java/Tomcat internals and Cisco ISE architecture**, the targeting appeared indiscriminate, which is unusual for highly targeted APT operations. Amazon shared its findings with Cisco, prompting further investigation into the zero-day exploitation. The vulnerabilities allow unauthenticated attackers to **store malicious files, execute arbitrary code, or gain root privileges** on vulnerable devices. This development links the threat actor to a broader set of zero-day exploits beyond the previously reported Cisco ASA/FTD vulnerabilities, suggesting a **multi-platform campaign** with evolving tactics. Organizations are urged to apply security updates for both CVE-2025-5777 and CVE-2025-20337 and restrict access to edge network devices. Amazon’s latest report confirms the threat actor’s use of **custom-built malware** targeting Cisco ISE environments, employing advanced techniques such as in-memory operation, Tomcat thread injection, and non-standard encryption. The campaign’s indiscriminate nature, combined with the exploitation of multiple zero-days, suggests a highly capable adversary with access to sophisticated tools and potentially non-public vulnerability intelligence.

    Show sources
    Open in new tab
  2. 07.11.2025 17:44 1 articles · 6d ago

    Cisco warns of new attack variant causing DoS conditions

    Cisco warned that vulnerabilities CVE-2025-20362 and CVE-2025-20333 are now being exploited to force ASA and FTD firewalls into reboot loops. Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from nearly 50,000 unpatched firewalls in September. Cisco disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. Cisco attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes. On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities, causing unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions.

    Show sources
    Open in new tab
  3. 26.09.2025 08:51 2 articles · 1mo ago

    ArcaneDoor campaign deploys RayInitiator and LINE VIPER malware

    The U.K. National Cyber Security Centre (NCSC) confirmed the exploitation of Cisco ASA zero-day vulnerabilities to deliver RayInitiator and LINE VIPER malware. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

    Show sources
    Open in new tab
  4. 25.09.2025 22:22 3 articles · 1mo ago

    Cisco discloses additional zero-day vulnerability in SNMP subsystem

    Cisco disclosed an additional zero-day vulnerability (CVE-2025-20352) affecting the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE. This flaw allows authenticated remote code execution and denial of service (DoS) attacks, affecting at least 2 million devices. Cisco strongly urges customers to update to a fixed version or implement mitigations immediately.

    Show sources
    Open in new tab
  5. 25.09.2025 20:52 5 articles · 1mo ago

    CISA orders agencies to patch Cisco flaws exploited in ArcaneDoor campaign

    CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks.

    Show sources
    Open in new tab
  6. 25.09.2025 19:49 8 articles · 1mo ago

    Cisco acknowledges exploitation of vulnerabilities and issues patches

    Cisco credited security researcher Jahmel Harris for discovering and reporting the vulnerabilities. Cisco addressed two critical security flaws in Unified Contact Center Express (Unified CCX) that could permit an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root. Cisco has shipped patches for a high-severity DoS bug (CVE-2025-20343) in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to cause a susceptible device to restart unexpectedly. Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

    Show sources
    Open in new tab
  7. 25.09.2025 15:00 12 articles · 1mo ago

    CISA issues Emergency Directive 25-03 for Cisco ASA zero-day vulnerabilities

    The article confirms the ongoing exploitation of multiple zero-day vulnerabilities in Cisco ASA and Firewall Threat Defense (FTD) software. Nearly 50,000 Cisco ASA and FTD appliances were initially vulnerable to actively exploited flaws, with Shadowserver tracking over 48,800 internet-exposed instances in late September. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints, with exploitation linked to the ArcaneDoor campaign. CISA’s Emergency Directive 25-03, issued on September 25, 2025, mandated federal agencies to identify and upgrade vulnerable devices within 24 hours, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect RayInitiator malware in ASA core dumps and provided **Temporary Risk Mitigation Recommendations** for non-compliant agencies. **New development:** CISA has warned that **some organizations incorrectly applied updates** for CVE-2025-20333 and CVE-2025-20362, leaving devices marked as patched but still vulnerable. The agency confirmed it is tracking **active exploitation of vulnerable software versions** in Federal Civilian Executive Branch (FCEB) agencies. Shadowserver’s latest data shows **over 30,000 devices remain exposed** globally, down from 45,000 in early October. CISA’s updated guidance directs agencies to verify correct patch application and ensure **all devices—including non-internet-exposed ones—are fully patched** to mitigate breach risks. The vulnerabilities have been exploited to force ASA and FTD firewalls into reboot loops, with the ArcaneDoor campaign deploying advanced malware (RayInitiator, LINE VIPER) and manipulating ROM for persistence. The same threat actor also exploited zero-days in **Citrix Bleed 2 (CVE-2025-5777)** and **Cisco ISE (CVE-2025-20337)**, demonstrating a multi-platform, indiscriminate targeting approach.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Accelerated Exploitation of New Vulnerabilities in 2025

In 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities were weaponized within 48 hours, driven by automated attack systems. Attackers exploit the delay between vulnerability disclosure and patch deployment, which often follows a slower, human-driven process. The traditional patching cadence is no longer sustainable as attackers use AI and automation to rapidly weaponize vulnerabilities, while defenders struggle to keep up. The exploitation economy operates at machine speed, with threat actors leveraging automated scripts, AI, and dark web forums to quickly develop and distribute exploits. Defenders face challenges due to the need for near-perfect stability and the risk of service interruptions, which attackers do not consider. To mitigate this, organizations must transition to automated, policy-driven remediation to close the gap between vulnerability disclosure and patch deployment.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

Critical Cisco UCCX RMI Vulnerability Exploitable for Root Command Execution

A critical vulnerability in Cisco Unified Contact Center Express (UCCX) allows unauthenticated attackers to execute commands with root privileges. The flaw, CVE-2025-20354, resides in the Java Remote Method Invocation (RMI) process. Cisco has released patches to address this issue. The UCCX platform is a software solution for managing customer interactions in call centers. The vulnerability enables attackers to upload crafted files and execute arbitrary commands on the underlying operating system. Cisco also patched a critical flaw in the CCX Editor application, which allows unauthenticated attackers to bypass authentication and execute arbitrary scripts with admin permissions. Updates are available for affected versions.

Open in new tab

Critical Remote Command Execution Vulnerability Exploited in CentOS Web Panel

A critical remote command execution vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP) is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary shell commands as a valid user. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal entities to patch or discontinue use by November 25. The issue affects all CWP versions before 0.9.8.1204. The vulnerability was demonstrated in late June and reported to CWP on May 13. The fix was released on June 18 in version 0.9.8.1205. CISA did not provide details on the exploitation methods, targets, or origin of the malicious activity.

Open in new tab