Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warnings
Cisco customers are urged to upgrade and secure systems immediately
Security agencies are warning that hackers are exploiting vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices to install malware, execute commands, and steal data.
The first vulnerability, tracked as CVE-2025-20333, allows authenticated attackers to execute arbitrary code on devices using ASA and Firewall Threat Defense (FTD) software.
Meanwhile, a second vulnerability (CVE-2025-20362) allows them to access restricted URL endpoints without authentication.
"In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled," the networking giant said in a customer advisory.
"Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis."
CISA, NCSC respond to Cisco ASA flaws
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the campaign is 'widespread' and connected with “ArcaneDoor” activity identified early last year
This threat campaign targeted perimeter network devices from several vendors, including Cisco, to deliver malware strains such as Line Runner and Line Dancer.
"CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service," the agency said.
The UK's National Cyber Security Centre (NCSC) has also issued guidance in the wake of the exploitation. The cybersecurity agency noted that some Cisco ASA 5500-X series models will be out of support from September 2025 and August 2026.
With this in mind, enterprises using these models should take immediate action to mitigate potential risks.
“It is critical for organizations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation,” said NCSC chief technology officer Ollie Whitehouse.
“We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.
“End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.”
New malware strains are a potent threat
New RayInitiator and Line Viper malware strains believed to be used in attacks represent a “significant evolution” on Line Dancer and Line Runner, the NCSC warned, particularly in terms of sophistication and their ability to evade detection.
CISA has now issued a directive ordering federal agencies - which have already been targeted - to identify, analyze, and mitigate potential compromises immediately.
"CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service," it said.
"These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Cisco polishes its platform but the network is still king
- 96% of businesses have low cyber-readiness, claims Cisco
- Cisco promises AI training for a million Americans
-
Google says AI is now being used to build zero-day exploitsNews Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Changes to EU AI Act implementation deadlines welcomed by industryNews New implementation deadlines for the EU AI Act could help remove “genuine friction” for European companies
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
-
CISOs are keen on agentic AI, but they’re not going all-in yetNews Many security leaders face acute talent shortages and are looking to upskill workers
