Particle.news

Download on the App Store

CISA Issues Emergency Order as ArcaneDoor Exploits Cisco Firewall Zero‑Days

Cyber agencies worldwide say ArcaneDoor-linked intrusions require immediate inventory, forensics, patching, plus removal of unsupported gear.

Overview

  • Cisco released emergency fixes for ASA/FTD flaws CVE-2025-20333 and CVE-2025-20362, which investigators say were used together to gain full control of targeted devices.
  • CISA’s Emergency Directive 25-03 requires federal agencies to inventory all ASA and Firepower gear, collect memory forensics, patch within 24 hours, disconnect compromised units, and retire end‑of‑support models.
  • Cisco reports attackers modified ROMMON for persistence on older ASA 5500‑X devices lacking Secure Boot and Trust Anchor protections, including 5512‑X, 5515‑X, 5525‑X, 5545‑X, 5555‑X, and 5585‑X.
  • UK NCSC, ACSC, and Canada’s cyber center issued parallel alerts, published malware analyses for RayInitiator and LINE VIPER, and urged password, key, and certificate rotation plus replacement of legacy hardware.
  • A separate IOS/IOS XE SNMP zero‑day (CVE-2025-20352) was patched after in‑the‑wild exploitation, potentially affecting up to two million devices with SNMP enabled, with temporary mitigation limited to restricting SNMP access.