Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks

Cisco on Thursday released emergency patches for two firewall vulnerabilities exploited as zero-days in attacks linked to the ArcaneDoor espionage campaign.

Tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), the bugs impact the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.

The issues, Cisco explains, exist because user-supplied input in HTTP(S) requests is not properly validated, allowing a remote attacker to send crafted requests and execute arbitrary code with root privileges or access a restricted URL without authentication.

The attacker needs valid VPN user credentials to exploit the critical-severity defect, but can exploit the medium-severity one without authentication.

Both vulnerabilities, Cisco notes in a fresh alert, were discovered after it was called in May 2025 to assist with investigating attacks targeting government organizations, in which ASA 5500-X series devices with VPN web ...