Cisco says “multiple government agencies” reported zero day exploitation of a pair of critical vulnerabilities in its firewalls.

Chained together, the vulnerabilities let an “unauthenticated, remote attacker" gain full control of the enterprise devices.

The attackers have used a multi-stage bootkit dubbed “RayInitiator” by the NCSC for persistence (the malware survives reboots and software upgrades) on Cisco 5500-X series firewall devices that are nearing end-of-support. 

See also: CVSS 9.9. Static credentials. In your cloud. Cisco WTF, again?

The attacks come after GreyNoise detected a massive surge in scans targeting Cisco ASA devices in late August 2025, with over 25,000 unique IPs probing ASA login portals in a single burst via a Brazilian botnet. Others followed.

Anticipating fresh attacks, Eclypsium noted on Sep. 16: “Cisco ASAs continue to be a prime target due to their widespread deployment at the edge and a history of slow patch adoption.”

A Shodan search by the firmware security specialist suggested that 113,000 ASA devices are exposed to the public Internet; over 104,000 via port 443. (The standard port for HTTPS traffic.)

This persistence has only been seen on models released in 2012 without SecureBoot technology – but the same vulnerabilities are “also present in specific versions of Cisco Firepower,” CISA said in an emergency directive.

Cisco thanked Five Eyes agencies in Australia, Canada, the UK and US for support investigating the Odays – which may have started in early 2024, when Cisco flagged compromise of its ASA and Cisco Firepower Threat Defense (FTD) products, but failed to identify the initial attack vector. 

Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024. – Cisco, September 25, 2025.

The vulnerabilities  have been allocated:

  • CVE-2025-20333 (CVSS 9.9): Anyone with VPN credentials can gain root by simply sending “crafted HTTP requests to an affected device.”
  • CVE-2025-20363 (CVSS 9.0): Also due to “improper validation of user-supplied input in HTTP requests”, Cisco admitted.
  • CVE-2025-20362 (CVSS 6.5): Ditto, and could allow an attacker to “access a restricted URL without authentication.”

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” said Cisco late Thursday.

“ The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams.

CISA called on all US agencies to report a “complete inventory of all instances of products within scope on agency networks, including details on actions taken and results” by October 2.

NCSC CTO Ollie Whitehouse added: “It is critical for organisations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation… End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.”

Whitehouse also took the opportunity to highlight a blog emphasising that organisations should prepare for Windows 10 coming to end of life in October and prioritise prompt migration to Windows 11.

See also: SaaS firms urged to threat-hunt for persistent “BRICKSTORM”



The link has been copied!