Cisco warns of a new attack variant exploiting CVE-2025-20333 and CVE-2025-20362 in Secure Firewall ASA and FTD devices.Cisco warned of a new attack variant targeting vulnerable Secure Firewall ASA and FTD devices by exploiting the vulnerabilities CVE-2025-20333 and CVE-2025-20362.“On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362.” reads the new alert published by Cisco. “This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Releases section of this page.”CVE-2025-20333 is a buffer overflow vulnerability in Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server. An attacker can exploit this flaw for remote code execution. CVE-2025-20362 is a missing authorization vulnerability in Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD).The two vulnerabilities could be chained.In September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.After the flaws had been fixed, the U.K. NCSC reported that threat actors exploited them in zero-day attacks to deploy novel malware families, RayInitiator and LINE VIPER. These malware mark a major evolution from earlier campaigns, featuring greater sophistication and advanced evasion capabilities.RayInitiator is a persistent, multi-stage GRUB bootkit flashed to Cisco ASA 5500-X devices (many out of support) that survives reboots and firmware upgrades. RayInitiator is used to load the user-mode loader LINE VIPER into memory.LINE VIPER receives commands either through WebVPN client authentication or by special network packets. It uses unique tokens and RSA keys per victim to secure commands and stolen data. Once active, it can run device commands, capture network traffic, bypass authentication controls, hide log messages, record CLI input, and trigger delayed reboots.Cisco links the new attacks to the ArcaneDoor threat actor but says no evidence shows other FTD or hardware platforms have been successfully breached.“Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.” concludes the alert. “While the vulnerable software is supported across other hardware platforms with different underlying architectures as well as in devices that are running Cisco Secure Firewall Threat Defense (FTD) Software, Cisco has no evidence that these platforms have been successfully compromised.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, CISCO)