Cisco has identified two concurrent zero-day vulnerabilities in its Adaptive Security Appliance (ASA) platform. These vulnerabilities are limited to specific versions of Cisco Firepower. These vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, are high severity network security risks and CVE-2025-20333 is said to be actively exploited. The Cybersecurity and Infrastructure Security Agency (CISA) has recently released an emergency directive calling for urgent mitigation actions.
CVE-2025-20333 also received a critical Common Vulnerability Scoring System (CVSS) score of 9.9. This enables authenticated attackers with valid VPN credentials to gain root-level arbitrary code execution on affected devices. This vulnerability is due to the lack of proper validation of user-supplied input in HTTP(S) requests. Remote attackers can take advantage of this vulnerability by transmitting specially-designed HTTP requests to the affected device.
The CVE-2025-20362 CVSS score is 6.5. It lets remote, unauthenticated attackers enumerate protected URL endpoints without having to authenticate at all. Similar to the first vulnerability, this one originates from lack of validation of user input in HTTP(S) requests. Attackers can easily take advantage of it by sending specially crafted HTTP GET requests.
Active Exploitation Campaign
Cisco also knows of real world exploitation of both vulnerabilities, as the campaign is already broad reaching. The attacker behind this activity has been codenamed UAT4356, or Storm-1849. In doing so, they achieve unauthenticated remote code execution on ASAs. Next, they use recalcitrant read-only memory (ROM) to achieve persistence across reboots and system updates.
“CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA),” – CISA
CISA has emphasized the urgency of the situation, stating that “the campaign is widespread and involves exploiting zero-day vulnerabilities.” This kind of activity is a significant danger to victims’ networks. It has never been more critical for organizations to act quickly and dramatically to protect their devices!
Recommendations for Mitigation
Any organization that implements Cisco ASA devices are highly recommended to install the most recent patches and updates that Cisco has released. The company has previously issued several security advisories. These advisories announce the vulnerabilities and describe the mitigation steps network administrators need to take in order to safeguard their networks.
Reducing your attack surface with stricter access controls and closely monitoring your network traffic for any suspicious activity can help identify exploitation attempts. CISA urges all users to be on the lookout, and if they notice suspicious activity, report it to your security team immediately.