Exploitation of Zero-Day Vulnerabilities in Remote Access Technologies
Threat actors have increasingly targeted remote access technologies in 2025 by exploiting a series of critical vulnerabilities, many of which were zero-days at the time of discovery. Security researchers have identified several high-impact vulnerabilities affecting widely deployed enterprise products, including Citrix NetScaler, Cisco IOS and IOS XE, Cisco ASA and FTD, Fortra GoAnywhere MFT, and Oracle E-Business Suite. These vulnerabilities have enabled remote code execution, authentication bypass, and other forms of unauthorized access, posing significant risks to organizations relying on these technologies for perimeter defense. Notably, some of these flaws, such as CVE-2025-7775 in Citrix NetScaler and CVE-2025-20352 in Cisco IOS/IOS XE, were exploited before public disclosure, highlighting the persistent threat of zero-day attacks. The threat actor group UAT4356, also known as ArcaneDoor, has been linked to the exploitation of certain Cisco vulnerabilities, demonstrating the involvement of sophisticated adversaries. In addition to newly discovered zero-days, attackers continue to leverage older, unpatched vulnerabilities, underscoring the ongoing challenge of maintaining effective patch management. Initial access brokers and both opportunistic and targeted threat actors have been observed using these exploits to gain footholds in enterprise environments, often as a precursor to further malicious activity such as extortion or data theft. Security bulletins from vendors like Ivanti and Fortinet have been referenced to provide guidance and mitigation steps for affected organizations. The prevalence of public proof-of-concept exploits for some vulnerabilities has accelerated their weaponization in the wild. The impact of these attacks is amplified by the critical role remote access technologies play in modern enterprise infrastructure, making timely detection and remediation essential. Security teams are urged to prioritize patching, monitor for signs of exploitation, and implement robust access controls to mitigate risk. The ongoing exploitation of both new and old vulnerabilities highlights the need for continuous vigilance and proactive security measures. Researchers emphasize the importance of machine-readable, well-vetted vulnerability intelligence to support rapid response. The trend of targeting remote access solutions is expected to persist, given their attractiveness as initial access vectors. Organizations are advised to review vendor advisories and apply recommended patches without delay. The evolving threat landscape requires a coordinated effort between vendors, security researchers, and enterprise defenders to reduce exposure and limit the impact of these attacks.
Timeline
Oct 7, 2025
CISA adds actively exploited vulnerabilities to advisory lists
In response to ongoing exploitation campaigns in 2025, CISA added affected vulnerabilities to its advisory and known-exploited-vulnerability tracking lists to warn defenders and drive remediation.
Oct 7, 2025
Some 2025 remote-access attacks are attributed to APT41
Reporting on 2025 exploitation of remote access technologies linked some intrusions to the China-nexus threat group APT41, alongside broader opportunistic and targeted activity by cybercriminals and initial access brokers.
Oct 7, 2025
Remote access products face broad exploitation throughout 2025
Across 2025, attackers actively exploited vulnerabilities in remote access and perimeter technologies from vendors including Ivanti, Fortinet, SonicWall, Sophos, Palo Alto Networks, Juniper, Citrix, Cisco, and Check Point for initial access.
Sep 30, 2025
VulnCheck assigns 60 new CVEs during September
VulnCheck reported assigning 60 new CVEs in September 2025 as part of coordinated vulnerability disclosure efforts intended to surface previously untracked risks.
Sep 30, 2025
VulnCheck adds 54 CVEs to its KEV list in September
During September 2025, VulnCheck added 54 newly exploited CVEs to its Known Exploited Vulnerabilities list, noting that many were not yet present on CISA's KEV catalog.
Sep 1, 2025
Mass exploitation targets Oracle E-Business Suite
CVE-2025-61882 in Oracle E-Business Suite was reported as being mass exploited in 2025 as part of the same late-summer to early-fall wave of attacks against major enterprise software.
Sep 1, 2025
Mass exploitation targets Fortra GoAnywhere MFT
CVE-2025-10035 in Fortra GoAnywhere MFT saw mass exploitation in 2025, with reporting linking activity to threat groups including Storm-1175, Graceful Spider, and Cl0p in attacks and extortion campaigns.
Aug 25, 2025
Late-August 2025 zero-days begin hitting major enterprise platforms
Between late August and early October 2025, multiple high-impact zero-day vulnerabilities began to be disclosed and exploited across enterprise products including Citrix NetScaler, Cisco IOS/ASA/FTD, Fortra GoAnywhere MFT, and Oracle E-Business Suite.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
1 months ago
Coordinated Attacks and Zero-Day Exploitation Targeting Cisco, Palo Alto, and Fortinet Network Devices
A coordinated cyberattack campaign has been identified targeting major networking devices from Cisco, Palo Alto Networks, and Fortinet, with evidence suggesting a single threat actor is orchestrating the activity. Security researchers at GreyNoise observed simultaneous scanning of Cisco ASA devices, increased login attempts against Palo Alto Networks portals, and brute-force attacks on Fortinet SSL VPNs, all originating from shared subnets and exhibiting recurring TCP fingerprints. This temporal and infrastructural correlation points to a sophisticated, cross-vendor campaign rather than opportunistic attacks. Experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. The campaign is notable for its focus on high-value targets such as networking devices and VPNs, which serve as critical gateways into enterprise networks and often possess privileged access that can bypass internal security controls. Industries such as manufacturing, industrials, and utilities are particularly at risk due to the potential for operational disruption and rapid financial gain for attackers. Concurrently, Cisco disclosed two zero-day vulnerabilities in its ASA and Secure Firewall Threat Defense software, identified as CVE-2025-20333 and CVE-2025-20362, which are being actively exploited in the wild. CVE-2025-20333 allows authenticated remote code execution due to improper input validation in the VPN web server, potentially granting attackers root-level access. CVE-2025-20362 is an authentication bypass flaw that enables remote attackers to access restricted endpoints without credentials. The combination of these vulnerabilities poses a severe risk, as attackers can gain full control of affected devices. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed ongoing exploitation and is collaborating with government agencies to coordinate a response. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging all federal agencies to immediately mitigate exposure and assess for compromise. Over 90,000 Cisco FTD devices are reportedly exposed, highlighting the scale of the threat. Attackers are conducting large-scale scanning campaigns to identify vulnerable ASA login portals and entry points. Security experts emphasize the urgent need for organizations to inventory their Cisco ASA and FTD devices, apply available patches, and implement recommended mitigations. The campaign’s use of shared infrastructure and advanced automation underscores a shift in attacker methodology toward more efficient and targeted operations. The strategic targeting of network infrastructure devices reflects their critical role in enterprise security and the high impact of successful compromise. Organizations are advised to monitor for signs of compromise, follow vendor and government guidance, and prioritize remediation of affected systems. The ongoing nature of the attacks and the active exploitation of zero-day vulnerabilities make this a critical threat to enterprise and government networks worldwide.
1 months ago
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
1 months ago