Código HTML do Conteúdo
Post: CISA orders agencies to patch Cisco flaws exploited in zero-day attacks - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div>
<p>CISA has issued a new emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against two flaws that have been exploited in zero-day attacks.</p>
<p>Emergency Directive 25-03 was issued to Federal Civilian Executive Branch (FCEB) agencies on September 25 and requires them to patch <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB" rel="nofollow noopener" target="_blank">CVE-2025-20333</a> and <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW" rel="nofollow noopener" target="_blank">CVE-2025-20362</a> vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software.</p>
<p>“The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks,” <a href="https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices" rel="nofollow noopener" target="_blank">CISA warned today</a>.</p>
<p>“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service.”</p>
<p>The U.S. cybersecurity agency now requires all FCEB agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all <a href="https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices" rel="nofollow noopener" target="_blank">compromised devices</a> from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26.</p>
<p>Additionally, CISA ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks.</p>
<h2>Exploitation linked to 2024 ArcaneDoorcampaign</h2>
<p>Cisco <a href="https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/" rel="nofollow noopener" target="_blank">has released security updates</a> to address the two security flaws earlier today, saying that CVE-2025-20333 can allow authenticated attackers to remotely gain code execution on vulnerable devices, while CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication.</p>
<p>When chained, the two vulnerabilities can enable unauthenticated attackers to gain full control of unpatched devicesremotely.</p>
<p>“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” <a href="https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks" rel="nofollow noopener" target="_blank">Cisco said today</a>, adding that the attacks targeted 5500-X Series devices with VPN web services enabled.</p>
<p>“During our forensic analysis of confirmed compromised devices, in some cases, Cisco has observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades.”</p>
<p>CISA and Cisco linked these ongoing attacks to the <a href="https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/" rel="nofollow noopener" target="_blank">ArcaneDoor campaign</a>, which exploited two other ASA and FTD zero-days (<a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2" rel="nofollow noopener" target="_blank">CVE-2024-20353</a> and <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h" rel="nofollow noopener" target="_blank">CVE-2024-20359</a>) to breach government networks worldwide since November 2023.</p>
<p>Cisco became aware of the ArcaneDoor attacks in early January 2024 and discovered evidence that the UAT4356 threat group behind the campaign (tracked as STORM-1849 by Microsoft) had tested and developed exploits for the two zero-days since at least July 2023.</p>
<p>In the attacks, the hackers deployed previously unknown <a href="https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf" rel="nofollow noopener" target="_blank">Line Dancer</a> in-memory shellcode loader and <a href="https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf" rel="nofollow noopener" target="_blank">Line Runner</a>backdoor malware to maintain persistence on compromised Cisco devices.</p>
<p>On Friday,Cisco patched a third critical vulnerability (<a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O" rel="nofollow noopener" target="_blank">CVE-2025-20363</a>) in its firewall and Cisco IOS software, which can let unauthenticated threat actors to execute arbitrary code remotely on unpatched devices.</p>
<p>However,the company didn’t directly link it to these attacks in today’s advisory, saying that its Product Security Incident Response Team”is not aware of any public announcements or malicious use of the vulnerability.”</p>
<p><a href="https://hubs.li/Q03B5Kw_0" rel="noopener sponsored" target="_blank"><br />
<img decoding="async" alt="Picus Blue Report 2025" src="https://datalake.azaeo.com/wp-content/uploads/2025/08/blue-report-2025.jpg"><br />
</a>
</p>
</div></div>