Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense

Low Riskcisco-sa-asaftd-persist-CISAED25-03Apr 23, 2026

CiscoEnergy

IT in OT - Cisco networking products are commonly deployed in OT environments

Summary

The ArcaneDoor threat actor has developed a persistence mechanism that resides in the FXOS firmware layer of Cisco Secure Firewall ASA and FTD installations. This backdoor is preserved across firmware upgrades to versions patched in September 2025, meaning systems that were compromised before that date remain vulnerable even after applying security patches. The initial compromise vector was CVE-2025-20333 (VPN Web Server RCE) or CVE-2025-20362 (VPN Unauthorized Access), but once the persistence mechanism is in place, the attacker retains access through the firmware layer.

What this means

What could happen

An attacker who previously compromised your Cisco firewall through VPN vulnerabilities has planted a persistence mechanism in the underlying FXOS operating system that survives firmware updates, allowing them to regain access and maintain control of your network perimeter even after applying security patches.

Who's at risk

Energy sector organizations and any operator running Cisco Secure Firewall ASA or Cisco Secure Firewall Threat Defense on affected hardware platforms. Any site that manages critical network access through these firewalls is at risk if previously compromised.

How it could be exploited

An attacker first exploits CVE-2025-20333 or CVE-2025-20362 to gain remote code execution on the firewall, then plants a persistence backdoor in the FXOS firmware layer. When you update the ASA or FTD software to the September 2025 fixes, the backdoor remains active in FXOS, allowing the attacker to regain control without re-exploiting the original vulnerabilities.

Prerequisites

Initial compromise via CVE-2025-20333 (VPN RCE) or CVE-2025-20362 (VPN unauthorized access)
Network access to the firewall's VPN web server interface
Firewall must be running vulnerable ASA/FTD software versions prior to September 2025 patches

remotely exploitableaffects network perimeter securitypersistence survives patchesno authentication required for initial exploitationsupply chain concernpreviously exploited in the wild

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXVerify that your Cisco ASA or FTD is running the patched firmware versions released in September 2025 or later

HOTFIXForce a full FXOS firmware update through the Cisco advisory guidance (not just ASA/FTD software update) to replace the compromised base operating system

HARDENINGReview firewall access logs and VPN authentication records from before September 2025 for signs of unauthorized access via CVE-2025-20333 or CVE-2025-20362

WORKAROUNDRestrict network access to the firewall's VPN web server to known trusted networks only, blocking untrusted external traffic

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable VPN web server if not actively used in your network operations

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/44d38c7a-38bf-459a-aa2d-1835528e5a0b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.