Active Exploitation of Cisco ASA and IOS Zero‑Days

Security agencies and Cisco warn that multiple actively exploited zero‑day vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500‑X series — notably CVE‑2025‑20333 (remote code execution) and CVE‑2025‑20362 (unauthenticated access) — are being used in widespread campaigns that install malware, exfiltrate data and persist through reboots; Cisco urges customers to upgrade to fixed software immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive requiring federal agencies to inventory, forensically assess and mitigate affected devices and has linked the campaign to the ArcaneDoor APT and malware families such as Line Runner and Line Dancer. Cisco has also released patches for other critical flaws (including CVE‑2025‑20363) and separately confirmed exploitation of an IOS/IOS XE SNMP zero‑day (CVE‑2025‑20352) that can enable denial‑of‑service or root‑level code execution; organizations should limit SNMP access where patches cannot yet be applied. Analysts report attackers used advanced evasion techniques (disabling logging, intercepting CLI, crashing devices) and large‑scale reconnaissance, and security bodies are directing organizations to disconnect or replace end‑of‑support appliances and remediate vulnerable devices as a high priority.