Urgent Alert: Cisco ZeroDays Actively Exploited in the Wild
An urgent confirmed report from Cisco has rocked the cybersecurity landscape: multiple zero-day vulnerabilities in Cisco ASA/FTD VPN web services are currently being actively exploited globally.
This is not a theoretical threat, it is a live, ongoing campaign. The seriousness of the situation has triggered the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue Emergency Directive ED 25-03, ordering federal agencies to inventory, patch, or disconnect affected devices immediately. For UK businesses relying on these critical VPN services, this alert demands immediate action.
As a leading UK-based Managed Cyber Security Service Provider, Cyber Root is advising all clients and businesses across our service reach to treat this as an active, high-priority incident.
The Threat Explained: RCE, Persistence, and the ArcaneDoor Actor
The recent Cisco advisories are tied to a coordinated attack campaign, exploiting vulnerabilities with critically high severity scores:
- CVE-2025-20333 (RCE, CVSS 9.9): Remote Code Execution.
- CVE-2025-20363 (RCE, CVSS 9.9): Remote Code Execution.
- CVE-2025-20362 (Unauthorized access, CVSS 6.5): Unauthorised Access.
This wasn’t an attack on just one airline; it was an attack on the interconnected supply chain. It exposed a fundamental truth: a vulnerability in one essential vendor can paralyse an entire ecosystem.
The ArcaneDoor Campaign
Cisco links this activity to a sophisticated threat actor they have dubbed ArcaneDoor. This campaign is characterised by:
- High-Severity Exploits: Using zero-days to achieve initial compromise.
- Persistence: Utilising proprietary persistence methods (like ROMMON on legacy ASA 5500-X devices without Secure Boot) to maintain access even after initial remediation attempts.
- Malicious Activity: The actor is confirmed to implement malware, execute commands, tamper with logs, and even crash devices to block forensic efforts, indicating a highly destructive and covert objective.
If your business utilises Cisco ASA/FTD VPNs, you must assume a potential compromise until verified otherwise.
Protecting Your Business: Cyber Root’s Immediate Action Plan
For UK businesses, the stakes are exceptionally high. A compromise of your VPN infrastructure is a gateway to your entire internal network, risking data theft, operational downtime, and severe regulatory penalties under GDPR.
Cyber Root Managed Cyber Security services are perfectly positioned to help UK businesses respond immediately to this specific threat, offering the targeted services you need most:
1. Proactive Vulnerability Management and Remediation (The Immediate Fix)
Our Vulnerability Management Service is your first line of defense. We can quickly:
- Identify Affected Assets: Swiftly scan your infrastructure to pinpoint all Cisco ASA/FTD devices.
- Prioritise Patching: Immediately apply the necessary Cisco patches and mitigation steps as outlined in the advisories.
- System Hardening: Implement configuration changes to reduce the attack surface against similar future exploits.
- Forensic Verification: Review system logs and configurations for indicators of compromise (IoCs) related to the ArcaneDoor activity, ensuring any persistence mechanisms are eradicated.
2. Post-Incident & Validation Penetration Testing (The Confidence Check)
Once patching is complete, how do you gain assurance that the threat actor is truly gone, and the fixes are effective? Our UK-focused Penetration Testing service provides the essential validation:
- External Network Testing: We simulate the ArcaneDoor attack, targeting your newly patched Cisco devices to ensure the zero-day vulnerabilities are fully remediated.
- Persistent Access Check: Testing specifically for proprietary backdoors or persistence methods that may have survived the patching process.
- Gap Analysis: Identifying other potential weak points that sophisticated threat actors like ArcaneDoor could pivot to, ensuring your entire perimeter is secure.
Don’t Wait for CISA’s Directive to Become a UK Incident
The threat posed by exploited zero-days is existential for any business. Ignoring a directive-level warning like this is simply not an option in today’s regulatory climate.
If your business is within the reach of our expert services, and you are using Cisco ASA or FTD devices, you need to act now. Let Cyber Root take the burden of this complex, high-stakes remediation effort.
Protect your critical assets today.
📞 Contact Cyber Root Managed Cyber Security UK for an immediate threat assessment and to discuss our bespoke Vulnerability Management and Penetration Testing solutions.