CISCO: Reference: Cisco Security Advisory – Continued Persistence Mechanism in Cisco Secure Firewalls

CISCO Security Advisory

Published Date: Not specified

CVE: CVE-2025-20333

Advisory Summary

📅 April 30, 2026

❗ Persisting Threats Against Cisco Secure Firewall ASA and FTD Devices — New Findings from CISA Update

On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an important update to its Emergency Directive 25-03 addressing compromises involving Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) products. The advisory reveals that the ArcaneDoor threat actor has engineered a novel persistence mechanism deeply embedded in the Cisco Firepower eXtensible Operating System (FXOS), the base OS for ASA and FTD installations.

🚨 What makes this persistence mechanism particularly challenging is that it survives upgrades to the fixed releases Cisco issued back in September 2025. These prior patches addressed remote code execution and unauthorized access vulnerabilities (CVE-2025-20333 and CVE-2025-20362), which the attackers initially exploited to compromise the systems.

• The newly discovered persistence resides beyond the application layer, embedded in FXOS, underscoring the advanced tactics employed.
• Organizations must recognize that simply applying the September 2025 patches may not suffice; enhanced detection and remediation strategies are critical.
• Cisco PSIRT continues to gather intelligence, but the update highlights the evolving sophistication of threat actors targeting firewall infrastructure.

• Review and follow the latest guidance from Cisco and CISA promptly.
• Employ comprehensive incident response measures, including firmware-level inspections.
• Enhance network monitoring to detect any unusual persistence or lateral movement activities.

This update serves as a crucial reminder that infrastructure security is a continuously evolving battle, demanding vigilance even after patch deployment.

For detailed technical information and mitigation strategies, refer to Cisco’s official advisory linked below.

⚙️ Security Impact Rating: Informational

Reference: Vendor Advisory