On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.
According to the update, the ArcaneDoor threat actor has developed a previously unknown persistence mechanism that is preserved across upgrading to the fixed releases that were published in September 2025. This persistence mechanism resides in the Cisco Firepower eXtensible Operating System (FXOS) Software base operating system for Cisco Secure Firewall ASA Software and Cisco Secure FTD Software installations on the affected hardware platforms.
Note: According to the intelligence Cisco PSIRT has received to date, the initial compromise, begins with the attacker exploiting the following vulnerabilities before customers upgraded to the fixed releases that were made available in September 2025:
* CVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability
* CVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability
For more information about the fixed releases that were made available in September 2025, see September 2025 Cisco Event Response: Continued Attacks Against Cisco Firewalls.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
Security Impact Rating: Informational
http://news.poseidon-us.com/TSBPzN
