Threat actors are exploiting CVE-2025-20352, a recent Cisco zero-day, to deploy a rootkit on older networking devices.

The post Cisco Routers Hacked for Rootkit Deployment appeared first on SecurityWeek.

GreyNoise has discovered that attacks exploiting Cisco, Fortinet, and Palo Alto Networks vulnerabilities are launched from the same infrastructure.

The post Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign appeared first on SecurityWeek.

Leading to remote code execution and privilege escalation, the flaws were exploited on Cisco ASA 5500-X series devices that lack secure boot.

The post Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks appeared first on SecurityWeek.

The Cybersecurity and Infrastructure Security Agency acknowledged it’s yet to get a complete handle on the scope and impact of attacks involving Cisco zero-day vulnerabilities that prompted it to release an emergency directive Thursday. 

The attack timeline dates back almost a year, according to an investigation Cisco and federal authorities did behind the scenes to identify the root cause and then coordinate the issuance of patches to address software defects under active exploitation. 

“We observed initial activity that we believe was related back in November,” Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a media briefing Thursday. “It started off as reconnaissance activity on these types of devices, and that’s what kicked off back in November.”

That malicious activity — read-only memory modification — “began as early as November 2024, if not earlier,” he said. 

CISA said it’s aware of hundreds of Cisco firewalls in use across the federal government that are potentially susceptible to exploitation. The mandated steps outlined in the emergency directive will help the agency understand the full scope of those devices and the extent of compromise across federal agencies, Butera said.

Critical infrastructure operators are also likely affected, and CISA is asking those organizations to report incidents as they are confirmed, Butera said. 

He also addressed a considerable delay from discovery to disclosure. Cisco said it initiated an incident response investigation into the attacks on multiple federal agencies in May, but four months passed before it disclosed the malicious activity and patched the zero-day vulnerabilities. 

During that time, CISA chose to hold off on releasing the emergency directive, which requires federal agencies to take immediate action by the end of Friday. 

“With any vulnerability coordination, it takes some time to properly understand what that vulnerability is and whether that vulnerability is being exploited, and some time for the vendors to develop a patch to mitigate that,” Butera said. “So the timeline involved both investigation and patch development for that process.”

He added that CISA and Cisco collaborated to implement mitigation steps and remediate the malicious activity. The agency also worked with Cisco through the coordinated vulnerability disclosure process “so we could appropriately address the risk as fully as possible during this time,” Butera said.

Federal officials are concerned attacks may accelerate or shift in the wake of CISA’s effort to prod agencies to thwart the threat. 

“As soon as these vulnerabilities are released to the threat actor, we believe the threat actor will likely try to pivot and change tactics,” Butera said. “We think it’s really important for our organization to try to detect that threat actor activity as quickly as possible, so that is what’s driving the tight timeline.” 

Officials declined to discuss the attackers’ origins or motivations in detail. Butera said CISA is not focused on attribution at this time, and he did not confirm research from outside threat intelligence firms pinning the espionage attacks on a China state-affiliated threat group tracked as UAT4356 and Storm-1849. 

Butera said the espionage attacks linked to the Cisco zero-day vulnerabilities are separate and not connected to the widespread and ongoing China state-sponsored attack spree Mandiant and Google Threat Intelligence Group researchers warned about Wednesday. Those attacks also involve exploitation of network edge devices.

The post CISA says it observed nearly year-old activity tied to Cisco zero-day attacks appeared first on CyberScoop.

Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 

Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances  — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 

The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action. 

Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.

Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities. 

The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said. 

CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.

The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days. 

Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical. 

When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.

“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”

The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.

Cisco Systems has issued security updates to address a critical vulnerability in its widely deployed IOS and IOS XE network operating systems, after confirming the flaw is being exploited in active attacks.

Designated CVE-2025-20352, the vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s core network software. According to Cisco, the weakness stems from a stack-based buffer overflow and affects any device with SNMP enabled. The flaw allows authenticated, remote attackers with low privileges to force targeted systems to reload, causing denial of service. Higher-privileged attackers could execute arbitrary code with root-level permissions on affected Cisco IOS XE devices, effectively gaining complete control.

Cisco disclosed that the vulnerability has been exploited in the wild. The company became aware of active attacks after the compromise of local administrator credentials. Attackers have leveraged the flaw by sending crafted SNMP packets over either IPv4 or IPv6 networks.

“All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco wrote in a published advisory. The company noted the problem affects all versions of SNMP, including v1, v2c, and v3. Models such as the Meraki MS390 and Catalyst 9300 running Meraki CS 17 or earlier are impacted, with a fix arriving in a further IOS XE software release.

No known workarounds exist beyond software updates. While organizations unable to immediately upgrade can mitigate some risk by limiting SNMP access to trusted users and network segments, Cisco advises that these are only temporary measures. 

The company’s security bulletin further instructs administrators on verifying the presence of SNMP and potentially affected configurations through command-line tools. Devices running IOS XR and NX-OS are confirmed as unaffected.

The same update that addressed the SNMP flaw also included patches for 13 other vulnerabilities. Two of these are considered significant: a reflected cross-site scripting weakness (CVE-2025-20240) permitting attackers to potentially steal session cookies, and a denial-of-service flaw (CVE-2025-20149) that can be triggered by authenticated local users. Both have proof-of-concept exploit code available publicly.

Cisco’s IOS and IOS XE platforms are foundational to global networking infrastructure, making vulnerabilities with the potential for remote code execution and denial of service particularly significant for enterprise operations and internet service providers. SNMP’s pervasive use for network monitoring and management, coupled with default or weak credential usage in some environments, continues to place heightened importance on timely security response.

The post Cisco uncovers new SNMP vulnerability used in attacks on IOS devices appeared first on CyberScoop.

The security defect allows remote attackers with administrative privileges to execute arbitrary code as the root user.

The post Cisco Patches Zero-Day Flaw Affecting Routers and Switches appeared first on SecurityWeek.

High-severity flaws in IOS XR could lead to ISO image verification bypass and denial-of-service conditions.

The post Cisco Patches High-Severity IOS XR Vulnerabilities appeared first on SecurityWeek.

Cisco disclosed a maximum-severity vulnerability affecting its Secure Firewall Management Center Software that could allow unauthenticated attackers to inject arbitrary shell commands and execute high-privilege commands, the vendor said in a security advisory Thursday. 

The enterprise networking vendor said it discovered the vulnerability — CVE-2025-20265 — during internal security testing. Cisco released a patch for the defect along with a series of 29 vulnerabilities in other Cisco Secure technologies. 

“To date, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any malicious use or exploitation of this vulnerability, and we strongly urge customers to upgrade to update releases,” a Cisco spokesperson told CyberScoop. “If an immediate upgrade is not feasible, implement a mitigation as outlined in the advisory.”

The disclosure marks yet another vulnerability in a widely used edge technology — a common and persistent point of intrusion for attackers. Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year. 

“Anytime you see ‘remote, unauthenticated command injection,’ you should be concerned,” Nathaniel Jones, VP of security and AI strategy at Darktrace, told CyberScoop. “These are exactly the types of vulnerabilities that pose significant danger because they are highly attractive to nation-state actors like Salt Typhoon — and such groups are likely to move quickly to exploit them.” 

Darktrace hasn’t observed exploitation in the wild, nor is it aware of a proof-of-concept exploit. “But, this type of vulnerability means the clock is ticking. I’d bet a proof-of-concept is available come Monday,” Jones said. 

The remote-code execution vulnerability, which has a CVSS rating of 10, involves improper handling of user input during the authentication phase. “For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS (remote authentication dial-in user service) authentication for the web-based management interface, SSH (secure shell) management, or both,” Cisco said in the advisory.

The vulnerability affects Cisco Secure FMC Software versions 7.0.7 and 7.7.0 with RADIUS authentication enabled. The platform allows customers to configure, monitor, manage and update firewall controls. 

“The vulnerability means that no credential is needed nor proximity, and you can get full privileges,” Jones added. “The improper-input handling could let an attacker craft authentic packets containing malicious payloads that escape the intended command context and run arbitrary OS commands.”

The vendor said there are no workarounds for the vulnerability, and it confirmed the defect does not affect Cisco Secure Firewall Adaptive Security Appliance Software or Cisco Secure Firewall Threat Defense Software.

Jones said the maximum-severity vulnerability accentuates the unflattering security posture of edge devices and their development lifecycles. “It just reinforces why they’re attacked — because they sit at network boundaries where attackers can reach them without stepping inside first, often have high privileges and broad visibility and the gatekeeper can bypass multiple layers of security at once,” he said.

Cisco encouraged customers to determine exposure to CVE-2025-20265 and other vulnerabilities by running the Cisco Software Checker, which identifies vulnerabilities impacting specific software releases.

The post Cisco discloses maximum-severity defect in firewall software appeared first on CyberScoop.

A pair of maximum-severity vulnerabilities affecting Cisco’s network access security platform are under active exploitation, the enterprise networking and IT vendor warned in a security advisory Monday.

The software defects in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector — CVE-2025-20281 and CVE-2025-20337 — were disclosed and addressed by Cisco on June 25, followed by the disclosure of a third critical vulnerability in the same software, CVE-2025-20282, on July 16. Cisco said it became aware of reported attempted exploitation of CVE-2025-20281 and CVE-2025-20337 on July 21.

“Based on these reports, we have updated our security advisory to reflect the attempted exploitation,” a Cisco spokesperson said in a statement. “At this time, we are not aware of any attempted exploitation or malicious use of CVE-2025-20282, and we continue to strongly recommend that customers upgrade to fixed software releases that remediate these vulnerabilities.”

All three of the vulnerabilities have a CVSS rating of 10 and there are no workarounds for the software defects. Cisco warned that all three vulnerabilities can be exploited by an unauthenticated, remote attacker, allowing arbitrary code execution on the underlying system as root.

Cisco did not say how many customers are currently impacted.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said researchers detected active exploitation of CVE-2025-20281 on July 17. “Since CVE-2025-20281 and CVE-2025-20337 are very similar, we believe both are under active attack. Proof of concept exploit code was first made public on June 27,” Childs said.

“Right now, those attacks appear to be limited and targeted. Cisco ISE is used by thousands of enterprises, so the potential impact is large,” he added.

The origins and motivations of the threat group or attacker behind the exploits remains unknown, but the potential interest is broad.

“Threat actors would be interested in these vulnerabilities because a Cisco ISE has a high degree of network visibility through logging, which gives threat actors insight for further attacks in the network,” Childs said. “An ISE also is a repository for potentially all of the users in an organization.”

The post Cisco network access security platform vulnerabilities under active exploitation appeared first on CyberScoop.

Want to learn how attackers bypass endpoint products? Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_SacredCashCowTipping2020.pdf 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco […]

The post Webcast: Sacred Cash Cow Tipping 2020 appeared first on Black Hills Information Security, Inc..

💾

Jordan Drysdale// tl;dr Both Cisco and Nessus have escalated the Smart Install Client Service feature/vulnerability. Nessus is now reporting the Smart Install RCE as critical. High five!!! Cisco has also […]

The post Cisco Smart Install Escalation and Update! appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // tl;dr Cisco Smart Install is awesome (on by default)…for hackers… not sysadmins. So, you Nessus too? Criticals and highs are all that matter! Right??? Until this beauty […]

The post Cisco Smart Installs and Why They’re Not “Informational” appeared first on Black Hills Information Security, Inc..

Ethan Robish // In this series of posts, I’ll discuss how I segmented my home network using VLANs and how I moved away from using a risky consumer-grade router at […]

The post Home Network Design – Part 1 appeared first on Black Hills Information Security, Inc..

Editor’s Note: We’ll feature Lawrence’s List every week.  It will include interesting things he’s come across during the week as he’s an avid consumer of internet garbage and follows a […]

The post Lawrence’s List 061316 appeared first on Black Hills Information Security, Inc..