CISCO Security Advisory
Published Date: May 19, 2026
CVE: CVE-2025-20333
Advisory Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Emergency Directive (ED) 25-03 on April 23, 2026, concerning a sophisticated persistence mechanism in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) devices. This mechanism, engineered by the threat actor known as ArcaneDoor, survives even after applying the remediation updates released in September 2025.
This persistence exists within the Cisco Firepower eXtensible Operating System (FXOS), embedded in the foundational software of affected hardware platforms, posing a significant challenge for complete remediation.
Initial exploitation involved two critical vulnerabilities:
- CVE-2025-20333: Remote Code Execution in VPN Web Server.
- CVE-2025-20362: Unauthorized Access vulnerability in VPN Web Server.
Organizations using Cisco ASA and FTD products must verify that they have applied all necessary security patches and conduct thorough forensic checks for residual compromise. Continuous monitoring and enhanced detection capabilities are recommended due to the stealth nature of this persistent threat.
For comprehensive mitigation details and response strategies, Cisco’s advisory and event response documentation provide essential guidance.
- Confirm deployment of the September 2025 fixed releases.
- Perform deep system audits focusing on FXOS level persistence.
- Implement enhanced network monitoring for indicators related to ArcaneDoor activities.
- Stay updated with Cisco and CISA threat intelligence bulletins.
Reference: Vendor Advisory