Security Bulletin: Cisco ASA/FTD Firewall & IOS/IOS XE SNMP Zero-Days

Overview

Within the last 48 hours, Cisco and multiple government sources disclosed active exploitation of two zero-day vulnerabilities in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) VPN web services (CVE-2025-20333, CVE-2025-20362). These can be chained to gain unauthenticated access and remote code execution on affected firewalls. CISA has issued Emergency Directive ED 25-03 due to the scale and sophistication of activity linked to the ArcaneDoor threat cluster, including ROM/bootloader manipulation for persistence.

Separately, Cisco disclosed an actively exploited SNMP vulnerability (CVE-2025-20352) affecting IOS and IOS XE devices with SNMP enabled. Under certain conditions, authenticated attackers can trigger DoS or achieve code execution (privilege-dependent). Cisco notes fixes are available (e.g., IOS XE 17.15.4a).

Cisco has also published a dedicated Detection Guide for continued attacks against ASA/FTD VPN head ends, including indicators such as specific suppressed syslog IDs, checks for disabled checkheaps, and bootloader/ROMMON verification cues after upgrade.

Recommended Actions

PLEASE NOTE: If you are a Protos Networks NOC customer, our Network Operations Team is currently reviewing your exposure to these vulnerabilities and will contact you to arrange making the necessary changes or upgrades, where applicable.

For Cisco ASA/FTD Firewalls (VPN head ends)

1. Patch/Upgrade immediately to Cisco’s fixed releases for CVE-2025-20333 and CVE-2025-20362 (ASA/FTD). Prioritise public-facing devices.
2. Follow Cisco’s Detection Guide to hunt for signs of compromise:
   • Review for suppressed syslog IDs 302013, 302014, 609002, 710005.
   • Run the “show checkheaps” command repeatedly (once per minute for 5 minutes) and confirm that the Total number of runs has increased.
   • After upgrading ASA 5512-X/5515-X/5525-X/5545-X/5555-X to 9.12.4.72 or 9.14.4.28, check for disk0:/firmware_update.log; presence may indicate prior compromise.
3. If compromise is suspected, isolate it from the network (do not power it off) and collect forensics. Public bodies should follow ED 25-03 core-dump and hunt steps; private organisations can mirror the same process and engage incident response.
4. Verify no end-of-support models remain Internet-exposed; plan accelerated replacement where applicable.

For Cisco IOS/IOS XE (Switches/Routers)

1. Apply the fixes for CVE-2025-20352 (e.g., IOS XE 17.15.4a, where applicable).
2. Restrict or temporarily disable SNMP where operationally feasible; limit to trusted managers and management networks; monitor with show snmp host.
3. Ensure SNMPv3 is used with strong auth/priv, remove legacy community strings and review device admin accounts.

Cross-cutting

• Credential hygiene & MFA for admin accounts; monitor for “impossible travel” on VPN logins as per Cisco guidance.
• Increase logging temporarily to aid detection; ensure syslog ingestion of ASA message IDs listed above.

Tactics, Techniques and Procedures (TTPs)

The attackers use the following TTPs, aligned with the MITRE ATT&CK framework, where applicable:

• Exploit Public-Facing Application (T1190): ASA/FTD VPN web services targeted with a zero-day chain.
• Valid Accounts (T1078): Use stolen credentials to establish VPN sessions; look for geographic “impossible travel”.
• Modify Boot or Firmware (T1542.003): ROM/bootloader manipulation for persistence on ASA 5500-X models.
• Exploitation of Remote Services (T1210) / SNMP Abuse: Authenticated exploitation of SNMP on IOS/IOS XE.

Indicators of Compromise

Type	Value/Pattern	Description
Syslog IDs	302013, 302014, 609002, 710005 drop/absence	Suppression observed as counter-forensics on ASA/FTD.
ASA Health	show checkheaps not incrementing	Potential ASA tampering; indicates disabled memory validation routine.
Post-Upgrade Artefact	disk0:/firmware_update.log	Presence after upgrade to 9.12.4.72/9.14.4.28 suggests prior compromise.

 

If your organisation requires further assistance, guidance or support, please contact [email protected].

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte