ArcaneDoor Espionage Campaign Exploiting High-Risk Cisco ASA and FTD Firewall Flaws
On September 25, 2025, three new CVEs affecting Cisco networking products exploded onto the global cyber security landscape. Two of these were actively exploited as zero-days prior to their disclosure. Greenbone now includes detection tests for all three new high-risk CVEs in the OPENVAS ENTERPRISE FEED.
CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) affect the VPN web server of the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) platforms. The VPN web server enables remote devices to access an internal network via SSL/TLS-based VPN. These two CVEs can be chained for full system takeover of unpatched devices. Furthermore, they are reportedly leveraged in ArcaneDoor espionage campaigns. Also, CVE-2025-20363 (CVSS 9.0), while not tagged as actively exploited, has been bundled into most national security advisories addressing the first two flaws. The latter affects an extended list of products: Cisco ASA and FTD, as well as Cisco IOS, IOS XE, and IOS XR under certain configurations.
Greenbone’s OPENVAS ENTERPRISE FEED includes detection checks for each new high-risk CVE [1][2][3][4][5][6][7][8][9]. You can start a free trial to scan your IT environment for these and other cybersecurity vulnerabilities. Below, we discuss aspects of this ongoing situation, including the attack campaign, a brief technical description of the three flaws, and mitigation guidance.
Campaigns Exploiting Cisco ASA 5500-X Devices
CVE-2025-20333 and CVE-2025-20362 were actively exploited as zero-days targeting Cisco ASA 5500-X series devices without Secure Boot. Chained, they give unauthenticated attackers full control of the breached device. Known campaigns leveraging these flaws have deployed RayInitiator and LINE VIPER to achieve persistence [TA0003], execute commands remotely [TA0011], and exfiltrate data [TA0010]. These attacks are attributed to the ArcaneDoor cyber-espionage campaign, which has targeted perimeter network devices since early 2024 and are considered highly sophisticated. Advanced techniques used in the attacks include:
- Low-level ROMMON (ROM Monitor) tampering [004] and Pre-OS bootkit [T1542.003] for covert persistence between reboots
- Command-line interface (CLI) interception [008]
- Disabling system logging [001]
- Network packet capture [T1040]
- Bypassing AAA network-device authentication and authorization protocols [004]
No public PoC exploits are available, but CISA and Cisco have confirmed that CVE-2025-20333 and CVE-2025-20362 are already exploited in-the-wild [1][2]. While attacks leveraging CVE-2025-20363 have not been confirmed, the CVE is included in many national CERT advisories covering the first two CVEs [3][4][5][6][7][8][9][10]. Supplemental guidance includes malware analysis from the UK’s NCSC [11] and IoC hunt instructions from CISA [12].
Technical Analysis of New Critical-Risk Cisco CVEs
All three CVEs are caused by improper validation of user-supplied input in HTTPS requests [CWE-20]. When combined, CVE-2025-20333 and CVE-2025-20362 allow attackers to execute arbitrary code as root on the victim’s system. CVE-2025-20333 is the culprit for allowing RCE, but requires valid VPN credentials. CVE-2025-20362 provides authentication bypass. CVE-2025-20363 also allows unauthenticated access to restricted URLs, but across a wider scope of products including: Cisco ASA and FTD software, as well as Cisco IOS, IOS XE, and IOS XR, under certain configurations.
Here is a brief description of each vulnerability:
- CVE-2025-20333 (CVSS 9.9): Crafted HTTPS requests to the VPN web server can lead to arbitrary RCE as root on the VPN web server for Cisco ASA and FTD devices. The flaw is classified as a Buffer Overflow [CWE-122] that requires valid VPN user credentials for exploitation.
- CVE-2025-20362 (CVSS 6.5): Unauthenticated attackers achieve authentication bypass to reach restricted URL endpoints on the VPN web server for Cisco ASA and FTD devices. The flaw is due to missing authorization [CWE-862] for sensitive HTTP paths.
- CVE-2025-20363 (CVSS 9.0): Unauthenticated RCE as root on the VPN web server of Cisco ASA and FTD devices. Low-privilege authenticated attackers may achieve RCE as root on Cisco IOS, Cisco IOS XE, and Cisco IOS XR software. The flaw is a heap-based buffer overflow [CWE-122] caused by improper validation of user-supplied input in HTTP requests.
Mitigation Instructions for Impacted Devices
CISA has issued an Emergency Directive for all federal agencies to immediately remediate the ongoing threat. Users of these products should immediately begin to identify, analyze, and mitigate affected products to protect their operations. For analysis, users should follow CISA’s Core Dump and Hunt Instructions and Cisco’s official Detection Guide.
If a breach is identified, compromised devices should be disconnected but not powered off, and Incident Response Plans (IRP) and eviction processes should be activated. Victims should notify the relevant regional authorities and submit their core dump(s) for analysis. Malware analysis for RayInitiator and LINE VIPER has been published from the UK’s NCSC [1]. Cisco’s official advisories can be consulted for more detailed information [2][3][4]. Platforms vulnerable to CVE-2025-20333 and CVE-2025-20362 include:
ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300. Affected Cisco ASA software versions are:
- 12 – < 9.12.4.72
- 14 – < 9.14.4.28
- 16 – < 9.16.4.85
- 17 – < 9.17.1.45
- 18 – < 9.18.4.67
- 19 – < 9.19.1.42
- 20 – < 9.20.4.10
- 22 – < 9.22.2.14
- 23 – < 9.23.1.19
Cisco FTD appliances with software versions:
- 0 – < 7.0.8.1
- 1 – all versions
- 2 – < 7.2.10.2
- 3 – all versions
- 4 – < 7.4.2.4
- 6 – < 7.6.2.1
- 7 – < 7.7.10.1
CVE-2025-20363 affects the aforementioned ASA and FTD products and all releases of Cisco IOS, Cisco IOS XE with Remote Access SSL VPN enabled and Cisco IOS XR Software versions 6.8 and 6.9 (32-bit on ASR 9001) with the HTTP server enabled. Cisco NX-OS Software, 64-bit IOS XR, IOS/IOS XE without SSL VPN enabled, and ASA/FTD without WebVPN/SSL VPN features configured are not affected.
Summary
The coordinated disclosure of CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 has triggered a global security response. Combined, the CVEs have potential for full system compromise of Cisco ASA and FTD devices as well as devices using Cisco IOS, IOS XE, and IOS XR software with certain configurations. An ongoing ArcaneDoor espionage campaign has been identified leveraging CVE-2025-20333 and CVE-2025-20362 against legacy ASA 5500-X devices.
Security agencies, including CISA and national CERTs, have issued urgent mitigation guidance, stressing immediate patching, forensic investigation, and IRP activation. Greenbone has released detection checks for all three vulnerabilities in the OPENVAS ENTERPRISE FEED to help organizations rapidly identify and remediate exposure. Start a free trial today to scan your IT environment for these and other cybersecurity risks.

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.