Outbreak Alert Cisco ASA and FTD Firewall RCE Released: Dec 18, 2025 Updated: Apr 27, 2026 Download PDF » Share Cisco ASA and FTD Firewall Zero-day Vulnerability Attack Tags Critical Severity Cisco Vendor Share Subscribe Overview Analysis Solutions Threat Intelligence References Subscribe Overview Analysis Solutions Threat Intelligence References Espionage Campaign Targeting Perimeter Network Devices Critical zero-day vulnerabilities affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software have been actively exploited in the wild. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Learn More » Common Vulnerabilities and Exposures CVE-2025-20333 CVE-2025-20362 CVE-2025-20363 Background This threat activity has been linked to an advanced threat actor associated with the ArcaneDoor campaign (also tracked as UAT4356 / Storm-1849). Cisco assesses with high confidence that the observed exploitation aligns with ArcaneDoor activity first identified in early 2024. The associated vulnerabilities were publicly disclosed and patched on September 25, 2025, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue Emergency Directive (ED) 25-03, which mandates the immediate identification, remediation, and mitigation of potentially compromised devices across affected environments. Malware and foothold implants have been observed using these vulnerabilities to: • Establish remote code execution contexts on perimeter devices. • Maintain persistence even post-reboot or upgrade on systems lacking proper secure boot technology. • Potentially pivot deeper into internal networks and exfiltrate data or enable additional post-compromise operations. This campaign highlights a sustained effort by sophisticated adversaries to weaponize zero-day flaws in widely deployed Cisco security appliances, with the goal of espionage and long-term persistence. Click here to analyze the Real-Time Threat Map Latest Development Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered. Customers are strongly urged to adhere to the instructions outlined in the Cisco security advisory for complete version details, mitigation steps, and updated guidance. FortiGuard customers are protected by multiple layers of defense against these exploits. Refer to the Solutions tab for for information. April 23, 2026: Cisco Talos and CISA are warning that threat actor UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS) by exploiting known vulnerabilities CVE-2025-20333 and CVE-2025-20362. https://blog.talosintelligence.com/uat-4356-firestarter/ September 25, 2025: CISA released Cybersecurity and Infrastructure Security Agency's Emergency Directive 25-03. https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices September 25, 2025: Cisco released a security advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O April 24, 2024: FortiGuard Labs released a Threat Signal on Arcane door attack campaign (2024) and provided updates on the new vulnerabilities found. https://www.fortiguard.com/threat-signal-report/5429/arcanedoor-attack-cisco-asa-zero-day FortiGuard Cybersecurity Framework Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services. PROTECT IPS DETECT IOC Outbreak Detection RESPOND Automated Response Assisted Response Services RECOVER NOC/SOC Training End-User Training IDENTIFY Attack Surface Hardening IPS Detects and blocks attack attempts leveraging the vulnerability FortiADC DB 35.135 FortiGate DB 35.135 FortiNDR DB 35.135 FortiNDR Cloud DB 35.135 FortiProxy DB 35.135 FortiSASE DB 35.135 IOC FortiAnalyzer FortiCloud SOCaaS FortiSIEM FortiSOAR Outbreak Detection FortiAnalyzer DB 2.00089 FortiNDR Cloud FortiSIEM FortiSOAR DB 1.0 Automated Response Services that can automaticlly respond to this outbreak. FortiXDR Assisted Response Services Experts to assist you with analysis, containment and response activities. Incident Response NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks. NSE Training Response Readiness End-User Training Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download and other forms of cyberattacks. Security Awareness & Training Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators. Security Rating Threat Intelligence Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities. ✖ References Sources of information in support and relation to this Outbreak and vendor. ArcaneDoor - Cisco Blog Learn More » ED 25-03- CISA Learn More » About FortiGuard Outbreak Alerts Learn More »