The U.S. Cybersecurity and Infrastructure Security Agency has instructed federal agencies to patch two zero-day or unpatched vulnerabilities that affect certain Cisco Systems Inc. devices. 

CISA officials issued the directive on Thursday. The zero-day vulnerabilities in question, CVE-2025-20362 and CVE-2025-20333, affect some systems in Cisco’s ASA 5500-X Series family of firewall appliances. The company provides support and updates for the systems but no longer sells them.

The exploits affect ASA 5500-X Series devices that were made before Cisco added a pair of cybersecurity features called Secure Boot and Trust Anchor. According to the company, hackers can only exploit the flaws if customers activate the affected devices’ built-in virtual private networking feature.

CVE-2025-20362 makes it possible to bypass the VPN’s authentication feature and access network assets that are usually off limits. The other vulnerability, CVE-2025-20333, enables hackers to gain root access. It has a severity rating of 9.9 out of a maximum 10. Hackers are actively exploiting both vulnerabilities to launch cyberattacks. 

In a Thursday blog post, Cisco detailed that the cyberattacks were brought to its attention in May by a group of government agencies. The agencies had determined that the hackers used the ASA vulnerabilities to target federal networks. According to Cisco, the cyberattacks are believed to be part of a state-backed hacking campaign dubbed ArcaneDoor that it first discovered in 2024.

“The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,” CISA officials detailed in this week’s directive to federal agencies. 

Hackers used the disclosed zero-day flaws to install bootkit malware. When users power on an inflected device, the bootkit activates before the operating system launches. That allows the malware to remain on a system even if administrators reboot it or update the onboard firmware. Such configuration changes remove many other types of malware.

The cyberattacks compromised ASA firewalls’ ROMMON, a piece of firmware involved in booting the onboard operating system. Administrations also use the firmware for certain maintenance tasks such as recovering passwords. Cisco determined that the hackers used the vulnerabilities to download data, install malware and run terminal commands.

The hackers actively worked to evade detection. They disabled compromised devices’ logging mechanism, which made it more difficult to collected technical data about the breaches. In some cases, the hackers crashed infected systems to prevent diagnosis. 

Cisco patched the vulnerabilities on Thursday. It also released a fix for a third exploit that affects several of its software products. So far, Cisco has found no indication that the latter flaw is being used in cyberattacks.

CISA has instructed federal agencies to create an inventory of the vulnerable ASA systems in their networks. If a device has been breached or won’t be eligible for software updates after Sept. 30, it must be disconnected. Devices that don’t meet those criteria must be patched by 11:59 p.m. EDT today. 

Photo: Unsplash