Overview

In a critical development, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive after uncovering active exploitation of three zero-day vulnerabilities in Cisco’s widely used Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms.

The attacks have been attributed to a state-sponsored threat group linked to the ArcaneDoor espionage campaign, targeting U.S. federal agencies and critical infrastructure networks.

Cisco has confirmed that these flaws—tracked as CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363—were exploited in the wild to gain persistent access and exfiltrate sensitive information from targeted environments.

Inside the Attack

The ArcaneDoor campaign demonstrates nation-state sophistication, leveraging advanced techniques to compromise perimeter security appliances — a tactic reminiscent of past operations such as Volt Typhoon and Snowman.

Exploitation Chain Summary:

• CVE-2025-20333 (CVSS 9.9):
  A critical remote code execution vulnerability, allowing attackers to run arbitrary code on Cisco ASA and FTD devices.

• CVE-2025-20362 (CVSS 6.5):
  A privilege escalation vulnerability used to gain higher-level access on compromised systems.

• CVE-2025-20363 (CVSS 9.0):
  A high-severity command execution flaw facilitating control over affected devices.

Attackers were observed deploying custom malware implants, disabling system logging, and maintaining persistence across reboots — actions that indicate long-term espionage objectives rather than financial gain.

Targets and Impact

The campaign primarily targets U.S. federal agencies, defense contractors, and critical infrastructure providers, aiming to infiltrate secure networks and collect intelligence data.

CISA’s Emergency Directive 25-03 mandates all civilian federal agencies to:

• Identify all vulnerable Cisco ASA and FTD devices

• Apply the latest Cisco security patches within 24 hours

• Conduct forensic reviews to detect signs of compromise

Private sector organizations, particularly those managing energy, telecom, or transportation networks, are also urged to patch immediately and enhance monitoring for abnormal network behavior.

Mitigation and Recommendations

Immediate Actions:

1. Patch Now: Apply Cisco’s latest software updates across all affected devices.

2. Audit Logs: Examine network and system logs for unusual activities, privilege escalations, or configuration changes.

3. Network Monitoring: Implement deep packet inspection and anomaly detection tools to identify command-and-control traffic.

Long-Term Security Measures:

• Enforce network segmentation to contain potential breaches.

• Adopt a zero-trust architecture to minimize lateral movement.

• Conduct continuous vulnerability assessments and red team exercises.

• Establish automated patch management to prevent future exposure.

Expert Insight

This incident underscores a growing nation-state focus on edge devices — exploiting firewalls and VPNs that often sit outside centralized endpoint protection.
As Clearphish analysts warn, perimeter compromise is now a primary attack vector, making timely patching and continuous monitoring non-negotiable for organizations handling sensitive data.

The Bigger Picture

ArcaneDoor’s exploitation of Cisco zero-days marks another escalation in geopolitical cyber espionage. With infrastructure devices increasingly under siege, cyber resilience must extend beyond endpoints — reaching routers, firewalls, and any device connecting public and private networks.

The window between disclosure and exploitation is closing fast — and this campaign is a stark reminder that delay in patching equals open doors for adversaries.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.