ArcaneDoor Strikes Cisco Firewalls Again: New DoS Exploit Variant Emerges
Cisco has warned customers of a fresh wave of attacks against its firewalls: adversaries have been striking vulnerable appliances for at least six months, and in early November a new exploitation variant emerged. In a Thursday bulletin, the company reported that on 5 November 2025 it observed novel techniques targeting systems running Cisco Secure ASA Software and Cisco Secure FTD Software, exploiting CVE-2025-20333 and CVE-2025-20362. On unpatched platforms these flaws cause cyclic reboots and subsequent denial-of-service.
Both vulnerabilities were patched in September, after which the UK National Cyber Security Centre and the US CISA publicly warned of active exploitation by a “sophisticated” adversary; at least one US agency was among the victims. As early as May, Cisco engaged multiple government partners to assist affected organisations: forensic work revealed attackers deploying malicious components, executing arbitrary commands, and likely exfiltrating data from compromised nodes. Cisco assembled a dedicated response team and worked closely with a limited set of customers whose networks had been intruded.
Researchers note the adversary combined several zero-day flaws and employed stealthy tradecraft: disabling logging, intercepting CLI input, and deliberately “crashing” devices to frustrate diagnosis. In several instances the ROM Monitor (ROMmon) bootloader was modified, enabling persistence that survived reboots and software updates.
Cisco, together with US and UK agencies, links earlier incidents and this “new variant” to the group behind the ArcaneDoor operation—first disclosed in April 2024 when the vendor remediated two zero-days in ASA and FTD that had been used to penetrate government and telecom infrastructure (activity indexed as UAT4356). Since 2024 Cisco has declined to attribute the campaign to a specific nation, referring inquiries to its public advisories.
Separately, on Thursday Cisco released patches for two critical vulnerabilities in Cisco Unified Contact Center Express (UCCX). CVE-2025-20354 and CVE-2025-20358 permit an unauthenticated remote attacker to upload arbitrary files, execute commands as root, or bypass authentication to run scripts as an internal, non-privileged user. UCCX deployments are vulnerable regardless of configuration; Cisco recommends upgrading to 12.5 SU3 ES07 or 15.0 ES01.
CVE-2025-20354 carries a CVSS score of 9.8 and stems from improper validation in a Java RMI process: exploitation via a crafted file can result in arbitrary command execution on the host OS and privilege escalation to superuser. CVE-2025-20358 (score 9.4) enables authentication bypass between the CCX Editor and the Unified CCX server: an attacker can redirect authentication checks to a controlled node, trick the client into believing login succeeded, and then execute arbitrary scripts as an internal account without administrative rights.
Cisco is not aware of confirmed, widespread exploitation of the UCCX defects, yet it urges customers to apply patches immediately. Given the relentless activity around ASA/FTD and the emergence of a new exploitation variant, postponing updates and configuration audits is exceedingly risky.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
