PH on High Alert: Critical Cisco Zero-Day Exploited by State-Sponsored Group

Thursday, September 25, saw the world cybersecurity defense on high alert after a high profile, actively pursued zero-day attack on critical devices, Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) was publicly announced. This new type of advanced threat that enables deep and persistent compromise resulted in an Emergency Directive being issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as an urgent warning to organizations across the globe, including the Philippines.

Security researchers and Cisco itself verified that an extremely sophisticated, state-sponsored, persistent threat (APT) team known as UAT4356, which was associated with the notorious ArcaneDoor campaign, was actively using two critical vulnerabilities: CVE-2025-20333 and CVE-2025-20362. Chaining of these zero-days was used to bring about unauthenticated remote code execution which provided attackers with complete control over the firewall apparatus. Of paramount importance, the threat actors showed that they could alter the read-only memory (ROM) on the device, a technique so sophisticated that the malicious implant is resistant to system re-boots as well as software upgrades.

The scale of the threat and especially its high-level sustainability have precipitated network defenders into crisis response mode. The attacks were analyzed by Palo Alto Networks Unit 42 that highlighted the severity of the situation. According to them, the fact that the opponent could alter ROM so as to avoid the software updates sent by developers indicates that these threat actors are a few steps ahead. With the spread of exposed devices around the world, a forensic sweep should be a priority of every organization to reveal whether they are affected or not.

Since the threat requires urgent and compulsory action by the international agencies, the Philippine Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center (CICC) are enjoining all domestic enterprises, particularly the banking, government, and telecommunications sectors, to audit their Cisco infrastructure immediately. The CISA directive, which needs to be addressed as a pressing international standard, demands that all the concerned parties:

• Carry out Forensic Investigation by gathering memory information (core files) of indicators of compromise.

• Install Security Patches to devices, when available.

• Disconnect permanently all the end-of-support (EoS) devices; they do not have the secure boot protections that are required to mitigate the ROM-level attack.
  

The local CISOs should collaborate with partners such as the Philippine National Police Anti-Cybercrime Group (PNP-ACG) in realizing these stringent requirements because the targeted devices will be the network gateways to most sensitive digital assets in the country.