Cisco warned customers about another wave of attacks against its firewalls, which have been battered by intruders for at least six months. It also patched two critical bugs in its Unified Contact Center Express (UCCX) software that aren’t under active exploitation – yet.
“On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362,” Netzilla noted in a Thursday security advisory.
The new attacks cause unpatched firewalls to continually reload, leading to denial-of-service conditions, and are the latest in a series of strikes against vulnerable devices that have been ongoing since May.
Cisco originally patched both flaws in September with the UK’s National Cyber Security Centre and US Cybersecurity and Infrastructure Security Agency sounding the alarm on exploitation by an “advanced threat actor” with victims including at least one US government agency.
In May, Cisco began working with “multiple government agencies that provide incident response services to government organizations” to investigate these attacks, which were used to deploy malware, execute malicious commands, and “potentially” steal data from compromised devices, according to the Thursday advisory.
The company also “dedicated a specialized, full-time team to this investigation, working closely with a limited set of affected customers.”
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” according to the alert.
In some cases, the attackers modified Cisco’s bootstrap program, ROM Monitor (ROMmon) to establish persistence even after reboots and software upgrades.
Cisco and the US and UK government agencies have linked the earlier exploitation plus the “new variant” to the government-backed threat crew behind the ArcaneDoor attacks. These first came to light in April 2024, when Cisco patched two zero-day flaws in ASA and FTD firewalls that had already been exploited to break into government and telecom networks. Cisco pinned the activity on a threat crew it dubbed UAT4356.
Cisco, since 2024, has refused to attribute this malicious activity to a specific country such as Russia or China. A spokesperson declined to answer The Register’s question about the new wave of attacks, and repeated the Thursday security alert in an email.
Make-me-root bug – patch now
Also on Thursday, the networking giant disclosed two critical security holes in its contact center software, Unified CCX, that allow remote, unauthenticated attackers to upload arbitrary files, execute commands with root privileges, or bypass authentication to run scripts as a non-root user.
The bugs, tracked as CVE-2025-20354 and CVE-2025-20358, affect Cisco Unified CCX, regardless of device configuration. The vendor recommends customers upgrade to a fixed software release (12.5 SU3 ES07 or 15.0 ES01) to close the hole.
CVE-2025-20354 is a 9.8-rated vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX that’s due to improper authentication mechanisms.
“An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process,” according to the security alert. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.”
CVE-2025-20358, an authentication bypass bug in the same product, also received a critical, 9.4 CVSS rating. It’s due to improper authentication between the CCX Editor and Unified CCX server. “An attacker could exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful,” the advisory said.
Abusing this vulnerability allows miscreants to execute arbitrary scripts on the underlying OS as an internal non-root user.
While Cisco says it’s not aware of any in-the-wild attacks against either of these flaws, we’d suggest patching ASAP. ®