Particle.news
Download on the App Store
3 ARTICLES
·
last wk.

Nearly 50,000 Cisco ASA/FTD Firewalls Remain Exposed to Actively Exploited Flaws

National cyber agencies tie the intrusions to ArcaneDoor tradecraft, underscoring the urgency of patching or replacing aging 5500‑X devices.

Cisco

Overview

  • Shadowserver counted more than 48,800 internet-facing ASA/FTD instances still vulnerable as of September 29, including over 19,000 in the United States.
  • The exploited bugs, CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5), enable remote, unauthenticated code execution and access to restricted VPN endpoints.
  • CISA issued a 24-hour emergency directive for FCEB agencies to identify, patch, or disconnect affected devices, warning that failure to act poses an unacceptable risk.
  • The U.K. NCSC says attackers are using the RayInitiator bootkit and Line Viper shellcode loader, indicating evolved persistence techniques consistent with ArcaneDoor.
  • Cisco confirmed attacks began before patches were available, and with no official workarounds, organizations are urged to update or retire end-of-life hardware and restrict VPN interface exposure while increasing monitoring.