- CISA warns about the active exploitation of two critical Cisco vulnerabilities
- The attackers modify Rom to persist in reinforcements; Linked to the group sponsored by the Arcanedor state
- Agencies must patch, analyze and inform the status of the Cisco device before October 2, 2025
The United States Cybersecurity and Infrastructure Security Agency (CISA) urges government agencies to address two worrying Cisco security vulnerabilities, warning that threat actors are actively exploiting defects.
According to Emergency Directive 25-03, published on September 25, 2025, CISA said there is a “generalized” attack campaign aimed at adaptive Cisco appliances and fire power firewall devices.
In the campaign, the attackers are modifying the reading memory (ROM) to persist in reset and updates. To achieve this persistence, threat actors are taking advantage of two defects: CVE-2025-2033 (remote code execution) and CVE-2025-20362 (privilege escalation). While the latter has an average rating (6.3/10), the first is considered critical, with a score of 9.9/10.
State activity
To worsen things, Cisco believes that the two problems are being exploited by a group tracked as Arcanedor (or Storm-1849 by Microsoft).
The cybersecurity community believes that Arcanedor is a threat actor sponsored by the State, but it is still unknown to which state it belongs.
“Cisco evaluates that this campaign is connected to Arcanedor’s activity identified in early 2024 and that this threat actor has demonstrated a capacity to successfully modify ASA ROM at least as soon as 2024,” CISA said in the report.
Now, federal agencies must act quickly and defend their infrastructure, or risk being attacked.
That includes executing the inventory of all Cisco Asa and Firepower devices, execute a forensic analysis using the basic Dump and Hunt from CISA instructions, disconnect the committed devices or at the end of life and the application of updates. After that, the agencies are ordered to denounce their findings and inventory to CISA before October 2, 2025.
Meanwhile, both vulnerabilities were added to the CISA exploited vulnerabilities catalog (KEV), which provides federal agencies for a period of three weeks (until October 16) to patch or stop using vulnerable tools completely.
Cisa did not mention who Arcanedor is pointing to, but in general terms, in addition to government and public sector organizations, ASA devices and Cisco’s fire power are widely used by companies and corporations, administered security service providers and education and research signatures.
