Article Details
Scrape Timestamp (UTC): 2025-09-25 18:21:08.147
Source: https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html
Original Article Text
Click to Toggle View
Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive. Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - Cisco said it's aware of "attempted exploitation" of both vulnerabilities, but did not reveal who may be behind it, or how widespread the attacks are. It's suspected that the two vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances. It also credited the Australian Signals Directorate, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, U.K. National Cyber Security Centre (NCSC), and U.S. Cybersecurity and Infrastructure Security Agency (CISA) for supporting the investigation. CISA Issues Emergency Directive ED 25-03 In a separate alert, CISA said it's issuing an emergency directive urging federal agencies to identify, analyze, and mitigate potential compromises with immediate effect. In addition, both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, giving the agencies 24 hours to apply the necessary mitigations. "CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA)," the agency noted. "The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks." The agency also noted that the activity is linked to a threat cluster dubbed ArcaneDoor, which was previously identified as targeting perimeter network devices from several vendors, including Cisco, to deliver malware families like Line Runner and Line Dancer. The activity was attributed to a threat actor dubbed UAT4356 (aka Storm-1849). "This threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024," CISA added. "These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances' Secure Boot would detect the identified manipulation of the ROM."
Daily Brief Summary
Cisco has identified two zero-day vulnerabilities in its Secure Firewall ASA and FTD Software, urging immediate patching due to active exploitation attempts.
The vulnerabilities allow attackers to bypass authentication and execute malicious code, posing significant risks to affected systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for federal agencies to address these vulnerabilities within 24 hours.
The campaign is linked to the ArcaneDoor threat cluster, known for targeting network devices and delivering malware such as Line Runner and Line Dancer.
CISA's directive includes adding the vulnerabilities to the Known Exploited Vulnerabilities catalog, requiring swift action to mitigate potential compromises.
The threat actor, identified as UAT4356 (aka Storm-1849), has shown the capability to modify ASA ROM, maintaining persistence through reboots and upgrades.
Collaboration with international cybersecurity agencies, including those from Australia, Canada, and the UK, has been crucial in investigating these vulnerabilities.
Organizations using affected Cisco appliances should prioritize patching and review their security posture to prevent unauthorized access and potential data breaches.