OTPulse Weekly Briefing - April 27, 2026

The lead story this week is one of the more uncomfortable advisories I've seen in a while. On April 23, Cisco and CISA confirmed that ArcaneDoor - the Chinese state-sponsored threat group that attacked Cisco ASA and FTD devices in 2024-2025 - developed a persistence mechanism that lives below the application layer. It doesn't live in the ASA or FTD software. It lives in FXOS, the underlying operating system that the firewall software runs on top of. The September 2025 ASA/FTD patches that most organizations already applied? They don't touch it. If an attacker had access to your device before you patched the application-layer vulnerabilities, that access may still be there.

CISA issued an update to Emergency Directive 25-03 alongside the Cisco advisory. The remediation isn't just a version check and a patch. It's FXOS-level integrity verification, additional FXOS updates, and for any device that may have been compromised before the September patches, forensic examination before the box can be trusted again.

Beyond ArcaneDoor, this was a busy week for ICS advisories. Phoenix Contact published CVSS 9.8 OpenSSL vulnerabilities across a wide product family covering industrial controllers, MGUARD firewalls, cellular routers, and access points. Milesight dropped ICSA-26-113-03 with unauthenticated RCE across their full camera lineup, and those cameras show up frequently at utility sites doing perimeter monitoring. CERT@VDE published a broken cryptography finding on Helmholz WALL IE switches with a 41.6% EPSS score, the highest exploitation probability in this week's OTPulse feed.

1. Cisco ASA/FTD - ArcaneDoor FXOS Persistence | Act Now | CISA Emergency Directive update. State-sponsored persistence mechanism that survives September 2025 patches. Requires FXOS integrity verification and FXOS-level updates, not just application patches. If your device was reachable before you patched, treat it as potentially compromised until you complete the forensic steps. Full breakdown below.

2. Phoenix Contact - OpenSSL Vulnerabilities (VDE-2026-023) | Assess This Week | CVSS 9.8 across a very wide Phoenix Contact product family: CHARX security controllers, AXC F industrial controllers, FL MGUARD firewalls, FL WLAN access points, and TC ROUTER cellular routers. Exploitation requires elevated credentials, but scope is broad. If you run Phoenix Contact in an industrial environment, check the advisory against your product list.

3. Helmholz WALL IE - Broken Cryptography (VDE-2026-015) | Assess This Week | CVSS 7.5, but this one has a 41.6% EPSS score - the highest exploitation probability in this week's feed. Broken crypto on industrial Ethernet switches allows traffic decryption by an attacker already on the segment. Fix is firmware V1.10.212 or later.

4. Milesight Cameras - Unauthenticated RCE (ICSA-26-113-03) | Assess This Week | CVSS 9.8, unauthenticated, affects the full Milesight camera family: PE, PC, PA, PD, G1, and network series. Milesight cameras are widely deployed at water and energy facilities for perimeter monitoring, often on management VLANs. No authentication required to reach RCE.

5. Silex Technology SD-330AC - Unauthenticated RCE (ICSA-26-111-10) | Assess This Week | CVSS 9.8, EPSS 13.9%. Network connectivity appliance used in industrial environments. Unauthenticated RCE from network access. 14% exploitation probability is meaningfully elevated for a device most people haven't thought about in years.

Cisco ASA and FTD run on hardware from the Firepower product line. That hardware has its own operating system - the Firepower Extensible Operating System, or FXOS. FXOS is the layer that manages the hardware itself: chassis management, interface configuration, secure boot, and firmware. The ASA or FTD application software runs on top of FXOS, the way Windows or Linux runs on top of a server's firmware.

Most organizations patching Cisco firewalls think about the application layer. They check the ASA software version or the FTD version, apply the recommended patches, and verify the software version changed. That's correct and necessary. But FXOS is a separate software component with its own versioning, its own update process, and - it turns out - its own attack surface.

For most CVEs on ASA and FTD hardware, FXOS is irrelevant - the fix lives entirely in the application layer. This situation is different because ArcaneDoor specifically targeted FXOS to establish persistence that the application-layer patch couldn't remove.

ArcaneDoor is publicly attributed to a Chinese state-sponsored threat actor. The campaign came to public attention in 2024 when Cisco and Talos published initial disclosures about targeted intrusions on ASA devices. Over 2024 and into 2025, Cisco published additional CVEs tied to the campaign - CVE-2025-20333 (RCE) and CVE-2025-20362 (unauthorized access) were the entry points. The September 2025 ASA/FTD patches addressed those specific vulnerabilities.

The standard assumption after a patch is: the attack surface that was exploited is now closed. For most vulnerabilities, that holds. ArcaneDoor changed the calculus by pivoting to the FXOS layer. Once an attacker has application-layer access to the device, they can use that access to implant persistence in FXOS. When the application layer is patched and rebooted, the FXOS-level implant can survive.

The April 23 CISA/Cisco advisory is not about a new intrusion. It's about the realization that devices compromised before the September 2025 patches may still be compromised - even if the ASA/FTD software version looks clean.

Before this advisory, the standard remediation posture was: patch to the September 2025 release train, verify the software version, move on. That posture is now insufficient for any device that was potentially exposed before the patch.

The updated guidance adds three things:

First, FXOS integrity verification. Cisco's TAC has published steps for checking the FXOS layer for indicators of compromise. This is not a quick version check - it's a forensic step that involves reviewing FXOS integrity logs and looking for unexpected modifications.

Second, FXOS-level updates in addition to ASA/FTD application updates. The FXOS and ASA/FTD versioning are separate. A device can be running a patched ASA version on an outdated FXOS version. Both need to be current.

Third, for any device that may have been accessible to ArcaneDoor before the September 2025 patches, the device cannot simply be trusted after patching. Forensic examination is required before it's treated as clean. The specific steps are in the Cisco advisory and the CISA ED 25-03 update.

CISA ED 25-03 is a federal directive, which means federal civilian agencies are under a formal deadline to complete these steps. For everyone else, the advisory is the authoritative remediation reference even without a compliance obligation behind it.

1. Confirm whether your ASA or FTD devices were running vulnerable software versions before the September 2025 patches (pre-patch ASA 9.x and FTD 7.x release trains - see the Cisco advisory for exact version ranges).

2. If yes, assume potential compromise and run the FXOS integrity verification steps. Do not skip this and assume the application-layer patch was sufficient.

3. Apply FXOS-level updates in addition to verifying the ASA/FTD application version. Check that both components are at the recommended version.

4. For any device you cannot confidently verify as clean through the integrity steps, treat it as compromised and escalate to Cisco TAC. Cisco's advisory explicitly addresses this path.

5. If your devices were updated to the September 2025 releases before ArcaneDoor had a window - meaning you patched very quickly after the original CVEs and your device was never exposed - the FXOS persistence mechanism had no opportunity to be installed.

The Cisco advisory at cisco-sa-asaftd-persist-CISAED25-03 and the CISA ED 25-03 update are the canonical references. The Cisco advisory includes specific FXOS version guidance and TAC escalation paths.