Outbreak Alert
Espionage Campaign Targeting Perimeter Network Devices
Critical zero-day vulnerabilities affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software have been actively exploited in the wild. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Learn More »
Common Vulnerabilities and Exposures
Background
This threat activity has been linked to an advanced threat actor associated with the ArcaneDoor campaign (also tracked as UAT4356 / Storm-1849). Cisco assesses with high confidence that the observed exploitation aligns with ArcaneDoor activity first identified in early 2024.
The associated vulnerabilities were publicly disclosed and patched on September 25, 2025, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue Emergency Directive (ED) 25-03, which mandates the immediate identification, remediation, and mitigation of potentially compromised devices across affected environments.
Malware and foothold implants have been observed using these vulnerabilities to:
• Establish remote code execution contexts on perimeter devices.
• Maintain persistence even post-reboot or upgrade on systems lacking proper secure boot technology.
• Potentially pivot deeper into internal networks and exfiltrate data or enable additional post-compromise operations.
This campaign highlights a sustained effort by sophisticated adversaries to weaponize zero-day flaws in widely deployed Cisco security appliances, with the goal of espionage and long-term persistence.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Customers are strongly urged to adhere to the instructions outlined in the Cisco security advisory for complete version details, mitigation steps, and updated guidance. FortiGuard customers are protected by multiple layers of defense against these exploits. Refer to the Solutions tab for for information.
-
September 25, 2025: CISA released Cybersecurity and Infrastructure Security Agency's Emergency Directive 25-03.
https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices -
September 25, 2025: Cisco released a security advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O -
April 24, 2024: FortiGuard Labs released a Threat Signal on Arcane door attack campaign (2024) and provided updates on the new vulnerabilities found.
https://www.fortiguard.com/threat-signal-report/5429/arcanedoor-attack-cisco-asa-zero-day
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
IPS
-
IOC
-
Outbreak Detection
-
Automated Response
-
Assisted Response Services
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Hardening
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
References
Sources of information in support and relation to this Outbreak and vendor.