Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎01-12-2026 10:06 PM

Article Id 426347

FortiGuard Outbreak Alert: Cisco ASA and FTD Firewall RCE

Description

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software vulnerabilities have been actively exploited in the wild. As identified by Cisco, this threat activity has been linked to a threat actor associated with the ArcaneDoor campaign (also tracked as UAT4356/Storm-1849).

 

The following software vulnerabilities have been observed in use during this threat campaign:

 

CVE-2025-20333 is a buffer overflow vulnerability in the VPN server component of Cisco ASA and Cisco FTD which allows a remote authenticated attacker to send crafted requests to execute arbitrary code as root.

 

CVE-2025-20362 is an authentication bypass vulnerability in the VPN server component of Cisco ASA and Cisco FTD which allows remote unauthenticated attacker to access restricted URL endpoints without authentication. This could disclose information such as device and VPN service configuration details.

 

CVE-2025-20363 is a heap-based buffer overflow vulnerability in the web service component of Cisco ASA and Cisco FTD which allows remote unauthenticated attacker to send crafted requests to achieve arbitrary code execution (RCE).

 

For affected and fixed product versions, please refer to the Cisco security advisory links below:

CVE-2025-20333
CVE-2025-20362
CVE-2025-20363

 
CVE ID

CVE-2025-20333
CVE-2025-20362
CVE-2025-20363
NDR Cloud Detection Rule

FortiNDR Cloud v25.4a+

Detection Rule Name

Category

Primary MITRE ID
FortiGuard Outbreak Alert: Cisco ASA and FTD Firewall RCE - CVE-2025-20333 Attack: Exploitation T1190 - Exploit Public-Facing Application
Playbook N/A
Threat Hunting FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Cisco ASA and FTD Firewall RCE” related activities.
IOC source: Cisco ASA and FTD Firewall RCE | Indicators of Compromise
All IOCs relating to "Cisco ASA and FTD Firewall RCE" have been added to Threat Intelligence Intel.
Suricata Coverage Customers can create custom investigation/detections using the Suricata signatures below:
2065052 -> ET WEB_SERVER Cisco ASA/FTD Authenticated Buffer Overflow (CVE-2025-20333)
2065051 -> ET WEB_SERVER Cisco ASA/FTD WebVPN Authentication Bypass (CVE-2025-20362)
Other Fortinet Products For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
Cisco ASA and FTD Firewall RCE
73
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.