By Sead Fadilpašić
Copyright techradar
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Close main menu
the business technology experts
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
View Profile
Search TechRadar
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Don’t miss these
FBI warns Russian hackers are targeting an old Cisco security flaw, so patch now
CISA flags some more serious Ivanti software flaws, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
Cisco ISE maximum severity flaw lets hackers execute root code
US federal agency breached by hackers using GeoServer exploit, CISA says
Cisco warns of worrying major security flaw in firewall command center, so patch now
French government hit by Chinese hackers exploiting Ivanti security flaws
SonicWall VPNs are being targeted by a new zero-day in ransomware attacks
Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials
WatchGuard warns users Firebox firewalls may have a critical issue – here’s what we know
CISA is warning of a worrying Git security flaw, so stay alert
Citrix patches a trio of high-severity security bugs, so be on your guard
CitrixBleed 2 exploits are now in the wild, so patch now
Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts – so update now
FBI, CISA warn of more Scattered Spider attacks to come
US Government tells agencies to patch Cisco firewalls immediately, or face attack
Sead Fadilpašić
26 September 2025
State-sponsored attacker is leveraging two Cisco zero-days
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock / Valriya Zankovych)
CISA warns of active exploitation of two critical Cisco vulnerabilities
Attackers modify ROM to persist across reboots; linked to state-sponsored group ArcaneDoor
Agencies must patch, analyze, and report Cisco device status by October 2, 2025
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging government agencies to address two worrying Cisco security vulnerabilities, warning threat actors are actively exploiting the flaws.
As per Emergency Directive 25-03, published on September 25, 2025, CISA said there is a “widespread” attack campaign targeting Cisco Adaptive Appliances and Firepower firewall devices.
In the campaign, the attackers are modifying read-only memory (ROM) to persist across reboots and upgrades. To achieve this persistence, threat actors are leveraging two flaws: CVE-2025-20333 (remote code execution), and CVE-2025-20362 (privilege escalation). While the latter has a medium rating (6.3/10), the former is deemed critical, with a 9.9/10 score.
You may like
FBI warns Russian hackers are targeting an old Cisco security flaw, so patch now
CISA flags some more serious Ivanti software flaws, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
State activity
To make matters worse, Cisco believes the issues two are being exploited by a group tracked as ArcaneDoor (or Storm-1849 by Microsoft).
The cybersecurity community believes ArcaneDoor to be a state-sponsored threat actor, but it is yet unknown which state it belongs to.
“Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024,” CISA said in the report.
Now, federal agencies must act quickly and defend their infrastructure, or risk getting attacked.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
That includes running inventory of all Cisco ASA and Firepower devices, running forensic analysis using CISA’s core dump and hunt instructions, disconnecting compromised or end-of-life devices, and applying updates. After that, agencies are ordered to report their findings and inventory back to CISA by October 2, 2025.
In the meantime, both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a three-week deadline (until October 16) to patch up or stop using the vulnerable tools altogether.
CISA did not mention who ArcaneDoor is targeting, but generally speaking, besides government and public sector organizations, Cisco’s ASA and Firepower devices are widely used by enterprises and corporations, managed security service providers, and education & research firms.
You might also like
Cisco warns zero-day vulnerability exploited in attacks on IOS software
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
FBI warns Russian hackers are targeting an old Cisco security flaw, so patch now
CISA flags some more serious Ivanti software flaws, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
Cisco ISE maximum severity flaw lets hackers execute root code
US federal agency breached by hackers using GeoServer exploit, CISA says
Cisco warns of worrying major security flaw in firewall command center, so patch now
Latest in Security
“AI security is identity security” – how Okta is weaving agents into the security fabric
UK government says a new AI tool helped it recover almost £500 million in fraud losses – and now it’s going global
Jaguar Land Rover facing costs of “millions per week” following cyberattack – due to a lack of insurance cover
OnePlus phone flaw could let devices send out unwanted text messages – so take care who you ping
Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year
Cisco warns zero-day vulnerability exploited in attacks on IOS software
Latest in News
How to watch Power Book IV: Force season 3 online — when is it coming out?
US Government tells agencies to patch Cisco firewalls immediately, or face attack
Hands-on video leak reveals Samsung Galaxy One UI 8.5 – and it’s borrowing a handy iPhone trick
This viral app paid users to sell their private phone calls to AI firms – now it’s offline after a shocking data breach
Peacemaker season 2 episode 6’s big cameo is the perfect set up for Man of Tomorrow
Bowser (no, not that one) will retire from Nintendo at the end of the year
LATEST ARTICLES
Arizona age verification law – Proton said to be “robust enough” to handle any VPN surge
Forget Microsoft Excel pain – Google Sheets can now tell you exactly why your formulas failed
Apple says iPhone 17 Pro ‘scratchgate’ debate is overblown – and explains why in-store phones are scuff magnets
This viral app paid users to sell their private phone calls to AI firms – now it’s offline after a shocking data breach
Gemini in Google Sheets can now explain and fix broken formulas
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future’s experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
