/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
/dq/media/member_avatars/AYMcEOCg0Hat7pNZP430.jpeg )
Follow Us/dq/media/media_files/2025/09/26/cisco-asa-zero-day-2025-09-26-15-07-30.png)
Cisco has issued an urgent advisory about a zero-day vulnerability in its Adaptive Security Appliance (ASA) devices. The flaw is currently under active exploitation by an advanced threat group, allowing them to hijack sessions and bypass Duo multifactor authentication (MFA). This vulnerability, which does not require valid credentials, has exposed enterprise and government networks to intrusion.
This vulnerability, or more accurately, a chain of two vulnerabilities (CVE-2025-20333 and CVE-2025-20362), allows attackers to hijack sessions and bypass Duo multifactor authentication (MFA). The attack works by sending crafted requests that manipulate session handling within ASA, tricking the system into thinking the Duo challenge was already satisfied. This means a stolen or guessed username and password can grant an attacker full access to a network, circumventing what is often considered a last line of defense.
Cisco ASA devices are widely used by organisations to secure VPNs and internal networks. A flaw in this critical network component has global implications, as it provides a gateway for attackers to gain a foothold in a network. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already issued an emergency directive, ordering federal agencies to identify and mitigate potential compromises. The directive, which has a tight deadline of October 2nd, is a clear signal to all organisations that they need to act now.
The Anatomy of the Attack
The threat actor behind this campaign is a group known as ArcaneDoor, also tracked as UAT4356 or Storm-1849. Their tactics are sophisticated and focus on breaking the "gateway" devices, like firewalls and VPNs, that protect a network's interior. In this latest campaign, they are chaining the two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to bypass authentication and execute malicious code on susceptible appliances.
Once inside, the attackers are known to deploy custom malware. CISA and the UK's National Cyber Security Centre (NCSC) have identified several malware families used by this group, including Line Runner and Line Dancer. These malware families can provide persistent access, allowing the attackers to steal data or conduct further espionage. CISA has also noted that the threat actor has demonstrated a capability to modify read-only memory (ROM) on affected devices, which allows their malware to persist through reboots and system upgrades, making it harder to remove.