Key Takeaways
- The Attacker: Storm-1849 (China-linked).
- The Vulnerabilities: Cisco ASA firewalls via CVE-2025-20333 (RCE) and CVE-2025-20362 (Auth Bypass).
- The Impact: Attackers implant persistent malware/bootkits that survive reboots.
- The Fix: Immediate patching and deep forensic analysis are required.
A China-linked hacking group, known as Storm-1849, has been actively compromising firewall appliances from Cisco worldwide, focusing on devices from the Cisco Adaptive Security Appliance (ASA) line.
Which vulnerabilities are being exploited?
The group exploits critical zero-day vulnerabilities, specifically CVE-2025-20333 and CVE-2025-20362, to gain control over these firewalls.
- CVE-2025-20333: Enables remote code execution (RCE).
- CVE-2025-20362: Allows authentication bypass.
When used together, they allow attackers to breach firewall defences, execute malicious code, and implant persistent malware on the device.
Who is being targeted?
The campaign has targeted a wide range of organisations, including US federal agencies, state and local government offices, financial institutions, defence contractors, and other critical-infrastructure bodies across many countries, not only in the United States, but in Europe, Asia, Africa and beyond. The attackers did not stop even after security agencies issued warnings and patches, indicating that many organisations still use unpatched firewall appliances.
What does the malware do?
Once attackers gain control, they may deploy advanced malware, including bootkits and stealthy loaders, that survive device reboot or firmware updates. They also disable logging, intercept administrative commands, and may manipulate system firmware or configuration to maintain control undetected. This gives attackers long-term, hidden access to network perimeter devices, effectively turning the firewall into a backdoor into internal networks.
How should organisations respond?
Security experts warn that patching alone may not be sufficient if a device was already compromised. They recommend:
- Resetting device configurations to factory defaults.
- Rotating all credentials and keys.
- Thoroughly reviewing all logs and network traffic.
- Conducting forensic analysis to detect possible compromise.
Organisations using vulnerable Cisco ASA or FTD firewalls must act urgently, because these vulnerabilities have been publicly disclosed and exploited in targeted attacks.
Incident Response
Thomas Murray’s incident response team is trained to respond quickly and efficiently to incidents and help your business get back on track.
Insights
Schrodinger’s Hack- or How HSBC Was(n’t) Hacked
When a bank is hacked it can quickly generate extensive news coverage. And recent events have shown that even when a bank isn’t hacked it can still generate significant column inches – threatening reputational damage.
Do not go (Micro)softly into that good night: Are we at a technology tipping point?
There’s a strong possibility that we’re now collectively at a technology crossroads in Europe because of a potential move away from Microsoft.
Nursery cyber attack shows there is no honour amongst thieves
The news that a gang of cyber criminals is threatening to publish the details of around 8,000 children is one of the starkest cyber incidents of 2025.
Co-op Reveals £80m Profit Hit: What are the Lessons for UK Retail?
Edward Starkie, a Director in Thomas Murray’s cyber security business, gives his reaction to the latest news from the historic British brand.