1. Executive Summary
In late September 2025, Cisco disclosed multiple high-risk vulnerabilities affecting core networking and perimeter security products, with confirmed in-the-wild exploitation reported for several issues. Of particular concern, CVE-2025-20352 is a flaw in the SNMP subsystem of Cisco IOS / IOS XE that Cisco and multiple national CERTs assessed as actively exploited prior to public disclosure. (Cisco)
Separately, Cisco also issued urgent guidance on a campaign targeting Cisco Secure Firewall ASA / FTD devices, where CVE-2025-20333 and CVE-2025-20362 were reported as exploited as zero-days in the wild, alongside a third related vulnerability (CVE-2025-20363). (Tenable®)
CISA publicly stated it added CVE-2025-20352 to the Known Exploited Vulnerabilities (KEV) catalogue, reinforcing the urgency for patching and exposure reduction. (CISA)
2. Contextual Background
2.1 Nature of the threat
CVE-2025-20352 (Cisco IOS / IOS XE SNMP)
- Vendor advisory: Cisco advisory for CVE-2025-20352 (SNMP subsystem) (Cisco)
- NVD: NVD (NVD)
Cisco and downstream advisories describe the issue as an SNMP parsing flaw in IOS/IOS XE. CERT-EU assessed CVSS 7.7 and described exploitation via crafted SNMP packets over IPv4/IPv6. (cert.europa.eu)
Cisco Secure Firewall ASA / FTD VPN web server zero-days (Sept 25, 2025 disclosure)
- Vendor advisory: Cisco advisory for ASA/FTD WebVPN vulnerabilities (Cisco)
- NVD: CVE-2025-20333, CVE-2025-20362, CVE-2025-20363 (Tenable®)
Cisco and multiple CTI write-ups describe CVE-2025-20333 and CVE-2025-20362 as exploited in the wild at disclosure time, with CVE-2025-20363 disclosed alongside them. (Tenable®)
2.2 Threat-actor attribution (if any)
For CVE-2025-20352 (SNMP): Public reporting strongly indicates active exploitation, but attribution is not consistently established across vendor/national CERT advisories. Trend Micro documented an intrusion operation exploiting CVE-2025-20352 to deploy rootkits on network devices, with analysis contributed to by Cisco Talos. (www.trendmicro.com)
Confidence: Possible (insufficient public evidence to name a specific actor with high confidence).
For ASA/FTD zero-days: Zscaler ThreatLabz reports a “state-sponsored” campaign exploiting the ASA/FTD issues and attributes activity to UAT4356 / Storm-1849 (their reporting and nomenclature), linking it to prior ArcaneDoor-style tradecraft. (Zscaler)
Confidence: Likely (single-source attribution in public reporting; corroboration exists for exploitation and victimology, but actor naming varies by vendor).
2.3 Sector and geographic targeting
These vulnerabilities affect foundational network infrastructure: edge firewalls, VPN concentrators, and campus/core switching. National cyber advisories (e.g., NHS England’s National CSOC) explicitly warned that further exploitation is highly likely for the SNMP issue, reflecting broad cross-sector risk where IOS/IOS XE is deployed. (NHS England Digital)
For ASA/FTD, reporting highlights large exposed populations of internet-reachable devices and government interest (CISA emergency guidance is referenced in multiple CTI write-ups), suggesting targeting of public sector and other perimeter-heavy environments. (Zscaler)
3. Technical Analysis
3.1 Detailed description of vulnerabilities and observed TTPs
CVE-2025-20352 – IOS/IOS XE SNMP exploitation
- Access vector: crafted SNMP traffic against IOS/IOS XE devices where SNMP is enabled and reachable. CERT-EU notes exploitation by crafted SNMP packets. (cert.europa.eu)
- Post-exploitation tradecraft (Trend Micro “Operation Zero Disco”): attackers exploited CVE-2025-20352 to achieve remote code execution and deploy rootkits on Cisco switches (including Catalyst 9400/9300 and legacy 3750G), establishing persistence and manipulating device telemetry/logging. (www.trendmicro.com)
Mapped MITRE ATT&CK techniques (observed behaviours described in public reporting):
- Initial access via public-facing service exploitation: T1190 (cert.europa.eu)
- Command execution on network device (via exploit-delivered commands and tooling): T1059 (www.trendmicro.com)
- Defence evasion via log manipulation (Trend Micro describes the controller toggling/deleting log records): T1070 (www.trendmicro.com)
- Credential/access control abuse (Trend Micro describes setting a universal password / bypassing AAA and VTY ACLs): T1556 (www.trendmicro.com)
- Persistence via low-level hooks/rootkit on device processes (fileless hooks in IOSd memory space): T1542 (www.trendmicro.com)
Note: ATT&CK mappings above are based on Trend Micro’s described behaviours rather than vendor-published ATT&CK tags.
ASA/FTD VPN web server zero-days (CVE-2025-20333 / CVE-2025-20362 / CVE-2025-20363)
Public technical summaries indicate exploitation over HTTP(S) against VPN web services, including issues such as session verification bypass/path normalisation and memory corruption in web handlers (per CTI reporting). (Zscaler)
Cisco’s “continued attacks” resource states evidence indicates CVE-2025-20333 and CVE-2025-20362 were used in the campaign and discusses persistence mechanisms. (Cisco)
Mapped MITRE ATT&CK techniques (high-confidence, campaign-level):
- Initial access via internet-facing application/service exploitation: T1190 (Zscaler)
- External remote services / web management interface targeting: T1133 (Zscaler)
3.2 Exploitation status (in the wild, PoC availability)
- CVE-2025-20352: Cisco-aligned national advisories and CERT-EU reporting treat exploitation as active; Trend Micro provided campaign telemetry and tooling artefacts; multiple outlets reported “exploited in zero-day attacks” and Cisco “reported exploitation in the wild”. (NHS England Digital)
- CVE-2025-20333 / CVE-2025-20362: disclosed as exploited in the wild in multiple CTI summaries, including Zscaler and Tenable. (Tenable®)
- CISA KEV: CISA stated it added CVE-2025-20352 to KEV (public alert page). (CISA)
- Public PoC: Trend Micro indicates recovered exploit components in the course of incident analysis, but public, general-purpose PoC availability is not consistently confirmed in authoritative sources; treat PoC availability as unconfirmed unless a reputable publisher links a specific repository with context. (www.trendmicro.com)
4. Impact Assessment
4.1 Severity and scope
- CVE-2025-20352 (IOS/IOS XE): CERT-EU reports CVSS 7.7; impact depends on privilege/conditions but includes serious outcomes for network integrity where exploitation is successful. (cert.europa.eu)
- ASA/FTD: Tenable summarises CVE-2025-20333 as 9.9 (critical) and highlights exploitation in the wild for two of the three disclosed issues. (Tenable®)
Operationally, successful exploitation of switching/routing platforms or edge firewalls can enable:
- network traffic interception/manipulation, credential theft, segmentation bypass, and long-lived footholds in “trusted” infrastructure layers (as described in the rootkit/persistence reporting for CVE-2025-20352). (www.trendmicro.com)
4.2 Victim profile
- CVE-2025-20352: Trend Micro observed impact on Cisco 9400/9300 and legacy 3750G series devices, implying both modern enterprise switching and older unprotected systems are at risk. (www.trendmicro.com)
- ASA/FTD: reporting emphasises older ASA models and internet-reachable VPN web services as common exposure points; NHS England CSOC also issued a dedicated alert for the ASA/FTD campaign. (Zscaler)
5. Indicators of Compromise (IOCs)
5.1 IOC table (publicly released)
The following IOCs are from Trend Micro’s “Operation Zero Disco” IOC release associated with exploitation of CVE-2025-20352. (documents.trendmicro.com)
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| SHA-256 | 2abc874435c16aa5cfd431b0d9c26095ef4b9429bd82306f054c367e96df49b2 | UDPcontrol.tar (controller/tooling) | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 69d761bdde73ea8e33384cf986d7e9c2d9011f7aad8933e8af64e60a77091e11 | a2p (ARP spoofing tool) | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | b08877f6f1c6c097240a6a8aa4a23243e3b14a1432170bc3fa5fa9886a2b19b4 | C93K_Toolkit_GD_V1.tar | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 9b8a896aa2057f46e17b18bbe091d85fb816b1d3232a3178d6aba94df3a92f6a | TracelogRStop_RV2_1.tar (log/telemetry interference tooling) | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 81b35152768f28a479ba9f7e27d66042b0d7edcd79355481aa401f3f47a7733b | TracelogRStop_RV2_2.tar | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 3a524bc40ca7c11b68283504f0119caeefd7589edea621d43d5d0cd973354675 | transport_force_all_1.tar | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | e303d0c6c59b4dc55edc0212a9319702e9db7fa03185ae9177777b874c02d4c1 | transport_force_all_2.tar | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 7cc7aed51adb426e55d82fd74c55b78f6ecbb895a315be721ef149a17f4b3a9b | tsfz-trans.zip | Trend Micro IOC list (documents.trendmicro.com) |
| SHA-256 | 235dc2d8c92661e5e2797a03bccd2653272ca1ac93401d194d7784930ca17a5a | tnsz.zip | Trend Micro IOC list (documents.trendmicro.com) |
ASA/FTD campaign IOCs: In the sources reviewed here, Cisco/Zscaler/NHS guidance focuses heavily on vulnerability management and forensic validation; specific file/hash/network IOCs are not consistently published in the openly accessible summaries. Where available, follow Cisco’s incident response guidance and any government hunting instructions referenced in CISA-aligned advisories. (Cisco)
5.2 Detection guidance (practical)
Network and device telemetry
- Alert on unexpected SNMP traffic patterns to infrastructure devices (spikes, new sources, anomalous OIDs), and restrict SNMP reachability to dedicated management networks where feasible. CERT-EU and NHS guidance emphasise crafted SNMP exploitation risk. (cert.europa.eu)
- For ASA/FTD, prioritise monitoring of HTTP(S) requests to VPN web endpoints, especially anomalous URL normalisation/path patterns and unauthorised access attempts, and review Cisco’s “continued attacks” guidance for persistence/forensic artefacts. (Cisco)
Hunting with published artefacts
- Match the SHA-256 values above across file stores, malware repositories, and any captured artefacts from network device file systems or crash dumps (where applicable). (documents.trendmicro.com)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
Immediate containment (both tracks)
- Identify exposure: inventory IOS/IOS XE devices with SNMP enabled and reachable; inventory ASA/FTD with VPN web services exposed. (cert.europa.eu)
- Reduce attack surface now (while patching is scheduled):
- Restrict SNMP to management ACLs/VLANs; remove internet reachability; rotate SNMP credentials/community strings where appropriate. (cert.europa.eu)
- Restrict/disable unnecessary VPN web components on ASA/FTD and limit management exposure to trusted admin networks. (Cisco)
- Patch/upgrade to fixed releases per Cisco advisories as the primary remediation step. (Cisco)
Eradication & recovery
- For suspected device compromise (rootkit/persistence scenarios), plan for device rebuild/clean re-provisioning rather than “in-place cleaning”, since infrastructure implants can survive typical remediation workflows (Trend Micro describes fileless hooks and controller capabilities that tamper with logs/config visibility). (www.trendmicro.com)
- Rotate credentials and secrets that may have transited affected devices (admin credentials, SNMPv3 auth/priv keys, VPN credentials, certificates) and re-establish trust for management planes.
6.2 Forensic artefacts to collect
- Configuration snapshots (running/startup), SNMP configuration state, AAA config, local user database diffs.
- Device logs plus external log sources (NetFlow/IPFIX, SIEM copies) because on-device logs may be altered (Trend Micro describes log deletion/toggling). (www.trendmicro.com)
- Crash dumps / core dumps where supported (commonly referenced in firewall incident workflows). (Zscaler)
6.3 Lessons learned / prevention
- Treat network infrastructure as a Tier-0 asset: isolate management planes, enforce strong credential hygiene, and prioritise patch SLAs for edge/perimeter and core routing/switching.
7. Threat Intelligence Contextualisation
7.1 Similar past incidents
Trend Micro notes attempted exploitation of a modified Telnet vulnerability “based on” CVE-2017-3881 alongside the SNMP exploitation chain, indicating actor interest in chaining old and new device-level primitives for reliability and flexibility. (www.trendmicro.com)
For ASA/FTD, Zscaler links the 2025 activity to ArcaneDoor-style methodology observed previously (as characterised in their reporting). (Zscaler)
7.2 Full ATT&CK mapping (observed lifecycle, summarised)
| Tactic | Technique ID | Technique Name | Observed behaviour (public reporting) |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Crafted SNMP packets (IOS/IOS XE) and HTTP(S) exploitation of VPN web services (ASA/FTD). (cert.europa.eu) |
| Execution | T1059 | Command and Scripting Interpreter | Exploit traffic includes command execution and tooling deployment in Trend Micro’s rootkit case study. (www.trendmicro.com) |
| Persistence | T1542 | Pre-OS Boot / Firmware (or related low-level persistence) | Rootkit/hooks into IOSd memory space and persistence behaviours described by Trend Micro. (www.trendmicro.com) |
| Defence Evasion | T1070 | Indicator Removal on Host | Controller capability to toggle/delete log records and reduce forensic visibility. (www.trendmicro.com) |
| Credential Access / Privilege | T1556 | Modify Authentication Process | Universal password/AAA bypass behaviours described by Trend Micro. (www.trendmicro.com) |
| Initial Access / Remote Services | T1133 | External Remote Services | ASA/FTD VPN web services targeted over HTTP(S). (Cisco) |
8. Mitigation Recommendations
8.1 Actionable hardening steps
- Management plane isolation: enforce ACLs so SNMP/SSH/HTTPS management interfaces are reachable only from hardened management networks (no internet exposure). (cert.europa.eu)
- Disable or minimise SNMP where not required; prefer SNMPv3 with strong auth/priv where operationally feasible; rotate credentials. (General best practice; exploitation risk is specifically tied to SNMP reachability and configuration.) (cert.europa.eu)
- Perimeter VPN hygiene (ASA/FTD): reduce or disable clientless/WebVPN surfaces if not required; limit exposure with WAF/reverse proxy patterns where supported; implement aggressive rate-limiting and geo/IP allow-listing for administrative portals.
8.2 Patch management advice
- Priority 0: Patch CVE-2025-20352 (IOS/IOS XE SNMP) immediately due to active exploitation and KEV listing. (CISA)
- Priority 0: Patch CVE-2025-20333 and CVE-2025-20362 (ASA/FTD) immediately where VPN web services are exposed; treat internet-facing appliances as emergency change candidates. (Tenable®)
- Follow Cisco fixed-release guidance in the relevant advisories. (Cisco)
9. Historical Context & Related Vulnerabilities
9.1 Previously exploited vulnerabilities in related product families
Trend Micro references attacker attempts leveraging a modified variant of CVE-2017-3881-style Telnet exploitation techniques during the SNMP campaign, underscoring that legacy device issues remain relevant in modern intrusion chains. (www.trendmicro.com)
9.2 Prior coverage / related reporting
- National CSOC alerting on active exploitation (UK healthcare sector context): NHS England cyber alert on CVE-2025-20352. (NHS England Digital)
- CERT-EU advisory for technical details and severity framing. (cert.europa.eu)
10. Future Outlook
10.1 Emerging trends
The public reporting around both the SNMP exploitation and ASA/FTD campaigns reinforces a consistent trend: perimeter and network infrastructure exploitation remains a high-ROI path for sophisticated actors, particularly where older hardware lacks modern boot-time trust protections and where management services are exposed.
10.2 Likely evolution
Expect:
- broader scanning and opportunistic follow-on exploitation (especially after KEV inclusion); (CISA)
- increased use of stealth/persistence mechanisms on network devices (Trend Micro’s rootkit/controller behaviours are a strong signal); (www.trendmicro.com)
- actor focus on credential capture and management-plane control rather than noisy ransomware-style outcomes (though the latter remains plausible as secondary monetisation).
11. Further Reading
Vendor advisories
- Cisco advisory for CVE-2025-20352 (SNMP subsystem) (Cisco)
- Cisco advisory for ASA/FTD WebVPN vulnerabilities (Cisco)
Government / national CERT
- CERT-EU advisory: CVE-2025-20352 (cert.europa.eu)
- NHS England National CSOC alert: active exploitation of CVE-2025-20352 (NHS England Digital)
- CISA alert announcing new KEV additions (includes CVE-2025-20352) (CISA)
CTI / research
- Trend Micro research: “Operation Zero Disco” (CVE-2025-20352 rootkit deployment) (www.trendmicro.com)
- Zscaler ThreatLabz: ASA/FTD zero-day attacks (CVE-2025-20333 / -20362) (Zscaler)
- Tenable FAQ: Sept 25 Cisco zero-days summary (Tenable®)