Cisco warns of ‘new attack variant’ battering firewalls under exploit for 6 months
Summary
Cisco has warned of a fresh variant of ongoing attacks against devices running Cisco Secure ASA and Cisco Secure FTD that are affected by CVE-2025-20333 and CVE-2025-20362. The new variant forces unpatched firewalls to continually reload, causing denial-of-service conditions. These strikes have been active since at least May and were first patched in September; Cisco is working with US and UK agencies and has a dedicated investigation team.
Separately, Cisco disclosed two critical vulnerabilities in Unified Contact Center Express (Unified CCX) — CVE-2025-20354 (Java RMI auth bypass/RCE, CVSS 9.8) and CVE-2025-20358 (authentication bypass, CVSS 9.4). Cisco recommends upgrading to fixed releases (12.5 SU3 ES07 or 15.0 ES01) to remediate these flaws.
Key Points
- New attack variant targets ASA and FTD firewalls vulnerable to CVE-2025-20333 and CVE-2025-20362, forcing continual reloads and causing DoS.
- Exploitation activity has been ongoing since May; Cisco originally issued patches in September after evidence of active exploitation by an advanced threat actor.
- Attackers have used advanced evasion techniques — disabling logging, intercepting CLI commands, intentionally crashing devices and, in some cases, modifying ROMmon to persist across reboots and upgrades.
- Cisco, together with US and UK government agencies, has linked the campaign to the group behind ArcaneDoor/UAT4356; Cisco has a specialised team handling investigations and affected customers.
- Two new critical Unified CCX flaws (CVE-2025-20354 and CVE-2025-20358) allow unauthenticated file upload, command execution with root privileges or script execution as internal users; Cisco urges upgrades to fixed releases.
- No public reports yet of in-the-wild exploitation for the Unified CCX bugs, but their high CVSS scores make immediate patching advisable.
Context and relevance
This advisory matters to network and security teams, especially organisations running Cisco ASA/FTD firewalls or Unified CCX contact-centre software. The campaign follows a pattern of state-quality actors targeting infrastructure appliances to gain persistence, steal data and disrupt services — a trend that increasingly focuses on routing and perimeter devices rather than just servers or endpoints.
Key operational takeaways: ensure your ASA/FTD systems are patched for CVE-2025-20333 and CVE-2025-20362; verify ROMmon integrity and look for indicators of tampering; upgrade Unified CCX to the fixed releases; review logs (if available) and engage incident response if you suspect compromise.
Why should I read this?
Short version: if you run Cisco ASA/FTD or Unified CCX, this is your fire-drill. These bugs have been weaponised for months and attackers are clever — disabling logging and even modifying boot firmware. We’ve done the scanning for you: patch the ASA/FTD fixes if you haven’t, upgrade CCX to 12.5 SU3 ES07 or 15.0 ES01, check ROMmon and kick off IR if things look weird. Don’t be the one saying “I thought we were patched”.