All news with #cisco tag

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

🔒 Cisco has linked a renewed campaign exploiting Cisco ASA 5500-X devices to the espionage-focused ArcaneDoor threat actor. The operation leveraged zero-day flaws, notably CVE-2025-20333 and CVE-2025-20362, to implant malware, modify ROMMON for persistence and evade detection by disabling logging and intercepting CLI commands. Observed compromises affected older ASA models lacking Secure Boot/Trust Anchor protections; Cisco and national authorities urge immediate remediation. Temporary mitigations include disabling SSL/TLS VPN web services and IKEv2 client services while applying vendor fixes and conducting forensics.

🛡️ The U.K. NCSC and Cisco confirmed active exploitation of recently disclosed vulnerabilities in Cisco Secure Firewall ASA devices that allowed deployment of previously undocumented malware families, notably RayInitiator and LINE VIPER. Cisco traced attacks beginning in May 2025 that targeted ASA 5500‑X appliances (running ASA 9.12/9.14 with VPN web services enabled), using multiple zero-day flaws to bypass authentication and execute code. Attackers employed a persistent GRUB bootkit, ROMMON modifications on non‑Secure Boot platforms, and extensive evasion techniques — disabling logging, intercepting CLI, and crashing devices — to maintain stealth and persistence. Organizations are urged to apply vendor fixes, migrate off end‑of‑support models, and monitor for indicators of compromise.

🔴 A critical zero-day vulnerability (CVE-2025-20363) in Cisco firewall and IOS families requires immediate patching, US CISA and the UK NCSC warned. Cisco says the flaw is caused by improper validation of user-supplied HTTP input and can allow remote arbitrary code execution as root when exploited. Affected products include Cisco Secure Firewall ASA, FTD, and certain IOS/IOS XE/IOS XR builds; Cisco has released fixes and advises there are no viable workarounds.

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

⚠️ Cisco is urging customers to immediately patch two zero-day vulnerabilities affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) and FTD software after observing exploitation in the wild. CVE-2025-20333 (CVSS 9.9) allows an authenticated VPN user to execute arbitrary code as root; CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted URL endpoints. CISA has issued Emergency Directive ED 25-03, added both flaws to the Known Exploited Vulnerabilities catalog with a 24-hour mitigation requirement, and warned of a widespread campaign linked to the ArcaneDoor/UAT4356 cluster that can modify ASA ROM to persist.

🔔 CISA has issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch agencies to remediate two actively exploited Cisco vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD devices. Agencies must inventory appliances, collect forensics, disconnect compromised and end-of-support devices, and apply patches by the stated deadlines. Cisco links the exploitation to the ArcaneDoor campaign, which leverages ROMMON manipulation and in-memory backdoors to maintain persistence.

⚠️ Cisco has warned customers of two actively exploited zero-day vulnerabilities affecting Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. CVE-2025-20333 enables authenticated attackers to execute arbitrary code remotely, while CVE-2025-20362 allows remote access to restricted URL endpoints without authentication. Cisco's PSIRT reported attempted exploitation and strongly recommends upgrading to fixed software releases.

🛡️ CISA issued Emergency Directive 25-03 directing federal civilian agencies to identify and mitigate exploitation of a zero-day affecting Cisco Adaptive Security Appliances (ASA). Agencies must inventory in-scope devices, collect forensic data, and assess compromises using CISA-provided procedures and tools. End-of-support devices must be disconnected and remaining appliances upgraded by 11:59 PM EST on September 26, 2025; CISA will monitor compliance and provide assistance.

🚨 CISA issued Emergency Directive ED 25-03 directing federal agencies to identify, analyze, and mitigate potential compromises of Cisco ASA and Cisco Firepower devices after adding CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. Agencies must inventory all devices (all versions) and collect memory/core dump files for forensic analysis, transmitting them to CISA by 11:59 p.m. EST on Sept. 26. CISA published supplemental guidance, an Eviction Strategies Tool template, and referenced Cisco and UK NCSC analyses to support containment, eviction, and remediation.

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

🔐 Cisco Talos Incident Response (Talos IR) provides rapid, 24/7 crisis support and proactive services to contain, investigate, and remediate cybersecurity incidents. Talos combines deep threat intelligence, digital forensics, and a vendor-agnostic approach to work with existing tools and environments. Engagements follow a structured IR lifecycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons learned—to minimize disruption and build long-term resilience.

🔍 At .Conf in Boston, Splunk and parent company Cisco positioned machine data as central to next‑generation AI incident response, arguing telemetry represents roughly 55% of global data growth. They stressed tighter integration of security and observability, a federated data model with new support for Snowflake, and standards work such as OpenTelemetry and the Open Cybersecurity Framework (OCSF). Splunk also previewed enhanced security operations capabilities — a premier Enterprise Security bundle, Detection Studio, and agentic AI features — while acknowledging customer concerns about costs, legacy positioning, and support.

🔒 A Cisco Talos Incident Response (IR) Retainer provides organizations with prioritized access to Talos' global threat intelligence and incident response specialists, combining proactive preparedness with rapid 24/7 mobilization. The retainer includes tailored IR plans, playbooks, readiness assessments, and tabletop exercises, plus proactive threat hunting using the PEAK Framework. Clients receive vendor-agnostic integration guidance, optional Cisco technology deployment, coordinated legal and PR support, and detailed post-incident reviews to reduce downtime and reputational harm.

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

🛡️ The U.S. Department of State is offering up to $10 million for information on three Russian FSB officers accused of carrying out cyberattacks against U.S. critical infrastructure. The named individuals — Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov — are tied to the FSB's Center 16, tracked under aliases such as Berserk Bear and Dragonfly. Charged in March 2022, the officers are alleged to have run intrusions from 2012–2017 targeting government agencies and energy firms, and recent activity shows exploitation of CVE-2018-0171 in end-of-life Cisco devices. The State Department directs tips to its Rewards for Justice Tor channel; eligible informants could receive rewards and relocation assistance.

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.