Urgent Cisco ASA Zero-Day and Duo Security Vulnerabilities Exposed

Cisco has alerted its customers to address two critical zero-day vulnerabilities in the VPN web server of its Cisco Secure Firewall ASA and FTD software, which are currently being exploited by attackers. Although Cisco has not disclosed the attackers' identities or the prevalence of these attacks, it is believed that the vulnerabilities are being used in tandem to bypass security measures and execute malicious code on affected devices.

The company expressed gratitude to cybersecurity agencies from Australia, Canada, the U.K., and the U.S. for their assistance in the investigation. Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to promptly identify, assess, and remediate these vulnerabilities. The issues have been added to a list of known exploited security flaws, with agencies given a deadline to address them.

CISA reported that the vulnerabilities are being actively exploited to conduct widespread attacks on Cisco ASA devices. These attacks involve remote code execution without authentication and memory manipulation to maintain persistence through reboots and updates, posing a significant threat to affected networks.

The attacks have been attributed to a group known as ArcaneDoor, associated with the deployment of malware such as Line Runner and Line Dancer. This group, also identified as UAT4356 or Storm-1849, has been altering the memory of ASA devices since at least 2024. Some versions of Cisco Firepower are also affected, although its Secure Boot feature can detect these memory changes.

Stay secure — stay Wavasec. 🔐