Cisco reports ongoing attacks on its firewall products. The vulnerability can lead to devices restarting and network outages. The company urges customers to update their systems to the latest security versions to prevent further damage.
Cisco warns of a new variant of the attacks that have been targeting its firewall products since May 2025. According to the company, this variant causes devices that have not been updated to the latest software versions to continuously restart, leading to network security outages. Cisco’s firewalls have been the target of ongoing attempts at exploitation for six months.
The attack targets devices running Cisco Secure ASA and Secure FTD software that are vulnerable to security flaws CVE-2025-20333 and CVE-2025-20362. Cisco released patches in September to fix these bugs. However, the exploitation appears to be continuing. The attacks are part of a broader campaign. Attackers have been exploiting multiple zero-day vulnerabilities in Cisco products for some time.
Advanced threat group
The Register reports that the UK’s National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency are involved in this threat. They have determined that the vulnerabilities are being exploited by an advanced threat group. At least one US government agency has been affected. Cisco confirms in its own documentation that it has been working with multiple government agencies that provide incident response services since May, but does not name any names or victims.
According to The Register, Cisco links the new attack to the same group that was responsible for the ArcaneDoor campaign in 2024. That operation exploited unknown vulnerabilities in ASA and FTD firewalls to gain access to government and telecom networks. At the time, Cisco gave that group the internal code name UAT4356. The company does not want to link this threat to a specific state.
Cisco’s own analysis shows that the attackers not only use zero-days, but also techniques to avoid detection. In previous incidents, log functions were disabled, commands were intercepted, and devices were deliberately crashed to cover their tracks. In some cases, the intruders modified the ROM Monitor program of devices so that their malware remained active even after a restart.
The Register adds that, in addition to the firewall issues, Cisco has also fixed two critical vulnerabilities in the Unified Contact Center Express software. These bugs, designated CVE-2025-20354 and CVE-2025-20358, allow remote attackers to upload files or execute commands with root privileges without authentication. Cisco says these vulnerabilities are not yet being actively exploited, but advises users to upgrade immediately to versions 12.5 SU3 ES07 or 15.0 ES01.
Cisco reports that customers should update their firewalls to the fixed software versions to prevent abuse.
Also read: Cisco firewalls exploited by state-sponsored hackers