According to TheRegister.com, Cisco warned customers on November 5, 2025 about a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software affected by CVE-2025-20333 and CVE-2025-20362. These attacks cause unpatched firewalls to continually reload, leading to denial-of-service conditions, and represent the latest in attacks that have been ongoing since May 2025. The company also patched two critical bugs in its Unified Contact Center Express software tracked as CVE-2025-20354 and CVE-2025-20358, which allow remote attackers to upload arbitrary files and execute commands with root privileges. While these contact center vulnerabilities aren’t currently under active exploitation, they carry CVSS scores of 9.8 and 9.4 respectively. Cisco has linked the firewall attacks to the same government-backed threat crew behind the ArcaneDoor attacks from April 2024, which it calls UAT4356.
Sponsored content — provided for informational and promotional purposes.
The ongoing firewall battle
Here’s the thing about these firewall attacks – they’re not exactly new, but they keep evolving. Cisco originally patched these vulnerabilities back in September, but attackers have developed what Cisco calls a “new variant” that’s still causing problems. The attacks have been going on for at least six months, which tells you this isn’t some random script kiddie operation. We’re talking about sophisticated actors who’ve been disabling logging, intercepting CLI commands, and even crashing devices to prevent analysis. In some cases, they modified Cisco’s bootstrap program to maintain persistence through reboots and software upgrades. That’s some serious dedication to staying inside these networks.
Government involvement and attribution
What’s really interesting is how much government attention this has gotten. Since May, Cisco has been working with “multiple government agencies” including the UK’s NCSC and US CISA. We know at least one US government agency was compromised. But despite all this evidence and government cooperation, Cisco still refuses to attribute these attacks to a specific country. They’ll only say it’s “government-backed” and call the group UAT4356. I mean, come on – we can probably guess which nations have both the capability and motivation to pull off sustained attacks like this against government and telecom networks. The fact that Cisco maintains this diplomatic silence while their own specialized team works full-time on the investigation speaks volumes.
Critical contact center bugs
Meanwhile, let’s not ignore those two critical vulnerabilities in Cisco’s Unified CCX contact center software. A 9.8 CVSS score is about as bad as it gets, and these flaws allow unauthenticated attackers to upload arbitrary files and execute commands with root privileges. Basically, if you’re running this contact center software and haven’t patched, someone could completely take over your system remotely. The fact that these affect the system “regardless of device configuration” means there’s no workaround – you either patch to 12.5 SU3 ES07 or 15.0 ES01, or you’re vulnerable. When you’re dealing with critical infrastructure like this, every component matters – from the firewalls protecting your network to the industrial computers running your operations. Speaking of which, companies relying on robust computing hardware for manufacturing and industrial applications often turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built to handle demanding environments.
The patch now reality
So what’s the takeaway here? Patch your Cisco equipment. Like, yesterday. The firewall issues have been actively exploited for months, and while the contact center bugs aren’t being attacked yet, you can bet threat actors are reading these advisories too. Cisco has dedicated a full-time team to this investigation and they’re working closely with affected customers, but that doesn’t help organizations that haven’t applied the September patches. The reality is that government-backed attackers are patient, well-resourced, and they’ll keep coming back with new variants until everyone’s protected. Don’t make your network the low-hanging fruit.
