Cisco firewalls are facing another huge surge of attacks, and businesses worldwide are now scrambling for answers. Threat actors are exploiting new zero-day vulnerabilities affecting Cisco ASA 5500-X and Secure Firewall devices, allowing remote access, malware deployment, and even forced reboots. These updated attack techniques—linked to the ArcaneDoor campaign—are becoming harder to detect as attackers refine their stealth methods. Here’s what’s happening and how to stay protected.
Why Cisco Firewalls Are Facing Another Huge Surge of Attacks
Cisco confirmed that attackers are abusing two critical zero-day flaws, CVE-2025-20333 and CVE-2025-20362. These allow hackers to execute malicious code, disable logs, tamper with firmware, and maintain persistent access. Because the new variant updates old methods instead of introducing new malware, many organizations may not even notice ongoing breaches.
How Are Attackers Targeting Cisco Firewalls?
The campaign relies on stealth. Hackers disable logging systems, mask intrusion activity, and alter devices to survive reboots. Cisco reports that the attacks began in May 2025, mainly affecting unpatched ASA and Secure Firewall hardware. These tactics make detection difficult and increase the risk of long-term access.
Should You Be Worried About This Surge of Attacks?
Businesses relying on affected Cisco firewalls should act quickly. Because attackers can hide their presence and survive resets, compromised networks may face severe risks including data theft and prolonged downtime. Upgrading hardware, monitoring traffic, and applying Cisco’s newest guidance are essential steps.
