Despite months of warnings, nearly 48,000 Cisco ASA and FTD appliances remain exposed to active zero-day exploits. Researchers at Shadowser Foundation confirmed that many devices are still running vulnerable builds and remain connected directly to the internet.
The largest concentration of unpatched systems appears in the United States, followed by the UK, Japan, Russia, Germany, and Canada.
Timeline of Exploitation
In May 2025, Cisco revealed attacks targeting CVE-2025-20333 and CVE-2025-20362 both affecting ASA 5500-X and FTD devices. Cisco noted that attackers used advanced evasion tactics, such as:
-
Disabling device logging
-
Intercepting CLI commands
-
Forcing crashes to block forensic analysis
By August 2025, GreyNoise recorded a sharp spike in scans aimed at ASA login portals and Telnet/SSH endpoints. These scans took place weeks before Cisco publicly disclosed the vulnerabilities, suggesting well-coordinated threat activity.
Many organizations continue to:
-
Delay updates on mission critical firewalls
-
Operate hardware beyond end of life support
-
Fail to monitor devices exposed directly to the internet
Because ASA/FTD appliances often sit at the network perimeter, attackers who exploit these zero-days gain immediate access to sensitive internal networks.
Urgent Steps Organizations Must Take
Cisco and national cybersecurity agencies strongly recommend the following:
-
Audit all ASA/FTD devices to confirm patch levels.
-
Apply Cisco’s latest updates and reset credentials, certificates, and keys.
-
Restore compromised systems to factory defaults before redeploying.
-
Search for indicators of compromise (IoCs), including disabled logging and suspicious crashes.
-
Replace unsupported devices that can no longer be secured.
In addition, Cisco urges admins to reconfigure devices with fresh keys post-patching to eliminate lingering backdoors.
Cisco analysts believe the same state-backed group behind ArcaneDoor attacks is responsible for these ASA zero-day exploits. Similarities in infrastructure, malware tools, and tactics strengthen that link.
Recent investigations also connect RayInitiator bootkits and LINE VIPER shellcode to the ongoing attacks indicating a coordinated espionage operation, not isolated criminal activity.
The fact that tens of thousands of Cisco ASA devices remain vulnerable despite repeated alerts is alarming. Firewalls serve as the frontline of enterprise defense. If attackers compromise them, the rest of the network becomes far easier to infiltrate.
Organizations must act now: patch systems, rotate credentials, and monitor relentlessly. Delaying remediation could mean handing adversaries the keys to the kingdom.
FAQs
Q: What Cisco ASA vulnerabilities are being exploited?
A: Attackers are exploiting CVE-2025-20333 and CVE-2025-20362, which allow them to disable logging, crash devices, and bypass defenses.
Q: How many Cisco ASA devices remain vulnerable?
A: Nearly 48,000 ASA/FTD firewalls remain exposed worldwide, with the largest numbers in the U.S. and Europe.
Q: Who is behind the attacks on Cisco ASA firewalls?
A: Cisco and researchers suspect the ArcaneDoor threat group, likely state-sponsored, due to overlap in tactics and tools.
Q: What should organizations do to secure their ASA devices?
A: Patch immediately, reset credentials, restore to factory defaults, and replace unsupported hardware.
3 thoughts on “Cisco ASA Zero-Day Alerts Ignored, Thousands of Devices at Risk”