Cisco has disclosed a new attack variant against devices running Secure Firewall ASA and FTD software, exploiting CVE-2025-20333 and CVE-2025-20362 to cause reboots and denial-of-service on unpatched systems.

An advisory updated on November 5, 2025 warns that threat actors are actively targeting unpatched systems, with device reloads and DoS disruptions observed.

Cisco emphasizes a critical remote code execution risk in Secure Firewall ASA/FTD (CVE-2025-20333) being exploited by attackers.

Security researchers, including Jahmel Harris, are credited with discovering these flaws.

The flaws carry a CVSS score of 9.9 and allow authenticated attackers with VPN credentials to run arbitrary code with root privileges, potentially compromising the device.

UK NCSC notes that attackers have used zero-day campaigns to deploy RayInitiator and LINE VIPER, signaling a move to more sophisticated threats.

There is no public evidence of exploitation in the wild yet, but rapid patching is strongly advised to minimize risk.

CISA added these vulnerabilities to its Known Exploited Vulnerabilities catalog earlier this year, underscoring active exploitation risk.

Affected configurations include ASA with AnyConnect IKEv2, MUS, or SSL VPN, and FTD devices with IKEv2 remote access or SSL VPN enabled in management interfaces.

ArcaneDoor-linked activity is associated with the affected software across supported platforms, though confirmed compromises are currently limited to ASA/FTD deployments.

Exploits have already appeared in the wild, according to Cisco’s Event Response team.

The vulnerability stems from inadequate input validation in the VPN web server when handling HTTP(S) requests, enabling exploitation via remote access features.