Security agencies are warning that hackers are exploiting vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices to install malware, execute commands, and steal data.
The first vulnerability, tracked as CVE-2025-20333, allows authenticated attackers to execute arbitrary code on devices using ASA and Firewall Threat Defense (FTD) software.
Meanwhile, a second vulnerability (CVE-2025-20362) allows them to access restricted URL endpoints without authentication.
"In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled," the networking giant said in a customer advisory.
"Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis."
CISA, NCSC respond to Cisco ASA flaws
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the campaign is 'widespread' and connected with “ArcaneDoor” activity identified early last year
This threat campaign targeted perimeter network devices from several vendors, including Cisco, to deliver malware strains such as Line Runner and Line Dancer.
"CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service," the agency said.
The UK's National Cyber Security Centre (NCSC) has also issued guidance in the wake of the exploitation. The cybersecurity agency noted that some Cisco ASA 5500-X series models will be out of support from September 2025 and August 2026.
With this in mind, enterprises using these models should take immediate action to mitigate potential risks.
“It is critical for organizations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation,” said NCSC chief technology officer Ollie Whitehouse.
“We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.
“End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.”
New malware strains are a potent threat
New RayInitiator and Line Viper malware strains believed to be used in attacks represent a “significant evolution” on Line Dancer and Line Runner, the NCSC warned, particularly in terms of sophistication and their ability to evade detection.
CISA has now issued a directive ordering federal agencies - which have already been targeted - to identify, analyze, and mitigate potential compromises immediately.
"CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service," it said.
"These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Cisco polishes its platform but the network is still king
- 96% of businesses have low cyber-readiness, claims Cisco
- Cisco promises AI training for a million Americans
-
Apple M5 MacBook Pro 14in reviewReviews Literally looks the same as the M4 model, and only really a minor upgrade, but it is still a tremendous work machine
-
More transparency needed on sprawling data center projects, activists claimNews Activists call for governments to be held accountable when data centers are pushed through without proper consultation
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
SonicWall launches new firewalls as part of Generation 8 refreshNews The vendor’s latest update includes unified management and integrated ZTNA, backed by embedded warranty and co-managed services
