Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS - Dark Reading

VULNERABILITIES & THREATS APPLICATION SECURITY CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY NEWS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS Patch now: Cisco recently disclosed four actively exploited zero-days affecting millions of devices, including three targeted by a nation-state actor previously discovered to be behind the "ArcaneDoor" campaign. Alexander Culafi,Senior News Writer,Dark Reading September 25, 2025 6 Min Read SOURCE: PICTURELUX / THE HOLLYWOOD ARCHIVE VIA ALAMY STOCK PHOTO UPDATE  A host of Cisco devices have been under attack in recent months thanks to zero-day security vulnerabilities affecting millions of appliances, and organizations should waste no time in patching them because they carry an enormous amount of corporate risk, the Cybersecurity and Infrastructure Security Agency (CISA) is warning. The agency published an Emergency Directive today connected to what it called "ongoing activity" targeting Cisco Adaptive Security Appliances (ASA). CISA assessed that the attacks are connected to the same state-sponsored advanced persistent threat (APT) behind the ArcaneDoor cyberespionage attacks in the spring of 2024, which also targeted Cisco zero days. The UK's National Cyber Security Center (NCSC) meanwhile warned that the threat actors are also implanting malware into affected Cisco devices, including RayInitiator, a persistent multi-stage boot kit, and LINE VIPER, a shellcode loader used to facilitate data exfiltration. The NCSC published a malware analysis on Sept. 25 to coincide with the warning. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos "The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade," CISA said. "Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024, and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024." Within the directive, CISA detailed multiple zero-days being used in the campaign: critical RCE flaws CVE-2025-20333 (CVSS 9.9) and CVE-2025-20363 (CVSS 9.0); and a medium-severity unauthorized access vulnerability allowing privilege escalation, CVE-2025-20362 (CVSS 6.5).  The warning comes a day after Cisco itself disclosed another, different zero-day under active exploitation in the wild. That vulnerability, CVE-2025-20352 (CVSS 7.7), affects the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE, which are versions of the vendor's operating system. The flaw is due to a stack overflow condition in SNMP, and can allow authenticated RCE and denial of service (DoS). Mayuresh Dani, security research manager at Qualys Threat Research Unit, notes that Cisco's enormous footprint across enterprises small and large means that mass patching is in order. Otherwise, "when you combine legacy code, massive deployment scale, recurring subsystem flaws, expanded Web attack surfaces, and embedded system challenges — it creates a perfect vulnerable storm," he warns. Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Espionage Cyber Threat Actor Targets Cisco Devices A wide range of Cisco ASA 5500-X series firewall models are affected by the bugs disclosed today, namely those that are running Cisco ASA Software releases 9.12 or 9.14 with VPN Web services enabled, which do not support Secure Boot and Trust Anchor technologies. These models include 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X. Certain versions of Cisco Firepower are also vulnerable to the zero-days, according to the networking giant. Cisco in its advisory also noted that many of the aforementioned devices are end of life, so customers are urged to upgrade to supported models and software releases, as appropriate.   CISA's directive, meanwhile, mandates updates by the end of day on Friday: federal civilian executive branch departments and agencies "must disconnect end-of-support devices and upgrade those that will remain in service by 11:59 PM EST on September 26, 2025." The attacks, while state-sponsored, have not formally been attributed to a single nation, though multiple US federal agencies were apparently compromised as part of the campaign. The activity isn't surprising: high-risk vulnerabilities pop up in Cisco gear fairly regularly, and often have been hit by nation-state actors of all stripes, including those affiliated with Russia and China. Related:Cisco SD-WAN Zero-Day Under Exploitation for 3 Years Jason Soroko, senior fellow at Sectigo, says Cisco bugs in particular attract attackers because the devices "are ubiquitous, sit at network choke points, and share code across many platforms." "A single management plane flaw can hit a fleet," he explains. "Internet-exposed management surfaces, especially the Web UI that many organizations leave enabled on untrusted interfaces, have enabled simple scanning and mass exploitation at scale. Patching is slowed by change control and uptime risk on critical edge devices, which gives adversaries a long window. The payoff is excellent in terms of traffic visibility, persistence, and lateral movement, so both crimeware and state actors keep investing." A Zero-Day Bug Capable of DoS & RCE Meanwhile, the Cisco IOS and IOS XE zero-day vulnerability revealed yesterday has also faced exploitation in the wild, and the networking vendor strongly urged customers to update to a fixed version as soon as possible.  As Cisco explained in a Sept. 24 advisory, "All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable" to CVE-2025-20352, which translates into at least 2 million boxes potentially at risk, according to Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative. "The bug is definitely interesting as it affects all versions of SNMP, which really shouldn't be exposed to the Internet," he says. "This bug allows attackers to get root access on affected devices. That's higher than admin access and really shouldn't be reachable at all." Indeed, with high privileges, an authenticated, remote attacker could execute code as the root user and gain full control over a target system. In this case, "the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device," according to Cisco. Ryan Emmons, security researcher at Rapid7, tells Dark Reading that although the vulnerable configuration is non-default, it is likely "very common" in real-world environments. "The most notable barrier to exploitation is that high-privilege local administrator credentials are required to establish remote code execution," Emmons says. "This requirement is a significant one, and it tells us that CVE-2025-20352 is more likely to be exploited during privilege escalation and lateral movement than it is to be used as an initial access vector." The vulnerability also allows a second attack scenario, where an authenticated, remote attacker with low privileges could use CVE-2025-20352 to launch a DoS attack on an affected Cisco device: "To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials." A Cisco spokesperson shared the following statement with Dark Reading: "We strongly urge customers to upgrade to updated releases [including IOS XE release (17.15.4a)]or — if an immediate upgrade is not feasible — implement the mitigation outlined in the advisory until an upgrade can be applied." The mitigation it mentioned involves disabling affected object identifiers (OIDs); the advisory includes instructions for using Cisco's Software Checker to look for vulnerable configurations. The flaw also affects Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS version 17 or earlier, the vendor added. This story was updated Sept 26, 2025 at 11:30 am ET to include the NCSC finding that Arcane Door attackers are spreading the RayInitiator and LINE VIPER malware as part of its campaign. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 VULNERABILITIES & THREATS Oracle EBS Attack Victims May Be More Numerous Than Expected by Alexander Culafi OCT 28, 2025 VULNERABILITIES & THREATS 'Bring Your Own Installer' Attack Targets SentinelOne EDR by Alexander Culafi, Senior News Writer, Dark Reading MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE