To every CTO, CISO, and Security Leader:** The **Cisco Secure Firewalls** your organization relies on for defense are actively under attack. A highly sophisticated threat actor systematically exploits these devices, not just to steal data, but to crash your network and completely erase your primary defense systems. You must take immediate action.
Right now, a new variant of an ongoing attack forces tens of thousands of unpatched, internet-facing devices—specifically **Cisco ASA and FTD devices**—to reload unexpectedly, causing a widespread **Denial-of-Service (DoS)** condition. This evolution of the 2024 **ArcaneDoor campaign** shows a terrifying escalation: when the perimeter bleeds, the rest of your security strategy becomes irrelevant. Unpatched firewalls are effectively turning into a severe liability for a network-wide DoS attack.
Threat Actors Chain Zero-Days for Complete Control
This isn’t a simple attack; it is a highly orchestrated campaign that leverages a terrifying chain of vulnerabilities.
The problem rests on two specific, highly critical flaws that attackers were exploiting as **”zero-days”** since May 2025:
– **CVE-2025-20333:** A critical **Remote Code Execution (RCE)** flaw.
– **CVE-2025-20362:** An **Authentication Bypass** vulnerability.
When linked, these two flaws give an attacker complete and unauthorized access. An **unauthenticated user can run their own code** on your network’s primary defense system. If your firewall can be taken over by anyone on the internet, you have a five-alarm emergency.
The hackers behind this campaign are the same sophisticated threat actor assessed with high confidence to be responsible for the devastating **ArcaneDoor campaign** from 2024. They are actively evolving their methods for maximum destruction.
New Variant Focuses on Immediate Destruction (DoS)
On November 5, 2025, Cisco issued a grave warning about a new attack variant. Attackers exploit the same underlying flaws but with a more immediately destructive goal, detailed in new references like **CVE-2025-20354** and **CVE-2025-20358**.
This new method forces unpatched devices to spontaneously reload, successfully causing a widespread **Denial-of-Service condition**. They are also using advanced anti-forensics techniques:
– **Disabling logging** to prevent security tools from tracking their movements.
– **Intentionally crashing devices** to evade security tools and cover their tracks.
– **Intercepting system commands** to maintain stealth.
They execute the digital equivalent of a smoke bomb while they pick the lock; they destroy your logs and your system’s integrity to cover their tracks.
RayInitiator: Persistent Malware Survives Reboots
The most frightening part is the attackers’ persistence. They are deploying customized, persistent malware variants like **RayInitiator** and **LINE VIPER**.
In some reported cases, they modify the **ROM Monitor (ROM MON)**. This is a critical step because **modifying ROM MON allows their malicious code to survive across system reboots and even firmware upgrades!** A simple reboot won’t save you; the malware is basically tattooed onto the device’s soul.
Cisco, the U.S. CISA, and the UK NCSC are all sending out the same, crystal-clear message: **You must upgrade to the fixed software releases immediately.**
Tens of thousands of devices are still exposed online. As a Fractional CTO who has guided countless teams, I must be clear: **There are no workarounds for the primary Remote Code Execution flaw (CVE-2025-20333).** This is a direct **patch-or-fail** situation. Your company’s resilience depends on you taking this action right now.
_Is your team having trouble prioritizing and deploying this critical patch, or do you need a threat-hunting assessment to confirm your firewalls’ integrity?_
