Hackers Exploit Cisco Firepower n-Day Vulnerabilities CVE-2025-20333 and CVE-2025-20362 to Gain Unauthorized Access
Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2025-20333, CVE-2025-20362 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 2 corroborating sources supports that scope.
Review our editorial policy or send corrections to [email protected].
Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.
State-sponsored threat actors, notably the espionage group UAT-4356, are actively exploiting two n-day vulnerabilities in Cisco Firepower Extensible Operating System (FXOS) devices. By chaining CVE-2025-20333 and CVE-2025-20362, attackers deploy customized backdoors enabling unauthorized access, posing a high-risk threat to enterprise network security.
# Hackers Exploit Cisco Firepower n-Day Vulnerabilities CVE-2025-20333 and CVE-2025-20362 to Gain Unauthorized Access
What happened
In April 2026, cybersecurity researchers from Cisco Talos and independent analysts confirmed that a state-sponsored espionage group identified as UAT-4356 has been actively exploiting two known, unpatched (n-day) vulnerabilities in Cisco Firepower devices. These vulnerabilities, CVE-2025-20333 and CVE-2025-20362, affect the Firepower Extensible Operating System (FXOS), a critical component managing Cisco’s next-generation firewall appliances.
The attackers chain these vulnerabilities to bypass authentication mechanisms and deploy a highly customized backdoor, granting persistent unauthorized access to targeted networks. This campaign follows the group’s previous ArcaneDoor operations, indicating a sustained interest in compromising high-value network security infrastructure.
Confirmed facts
- Vulnerabilities involved:
- *CVE-2025-20333*: An authentication bypass vulnerability in the FXOS management interface allowing attackers to gain elevated privileges.
- *CVE-2025-20362*: A remote code execution flaw in the FXOS firmware enabling execution of arbitrary commands.
- Threat actor: UAT-4356, a state-sponsored espionage group with a history of targeting network infrastructure for intelligence gathering.
- Attack vector: Exploitation involves chaining the two vulnerabilities to first bypass authentication and then execute a backdoor implant.
- Backdoor characteristics: Highly customized, stealthy, and persistent, designed to maintain long-term access without detection.
- Discovery and reporting: Cisco Talos publicly disclosed the exploitation in late April 2026 after monitoring active attacks.
- Affected systems: Cisco Firepower devices running vulnerable versions of FXOS firmware prior to the latest security patches.
Who is affected
- Enterprise networks using Cisco Firepower appliances: Organizations relying on Cisco Firepower for perimeter defense or internal segmentation are at significant risk.
- Government and critical infrastructure: Given the espionage nature of UAT-4356, government agencies and critical infrastructure operators using these devices are prime targets.
- Managed Security Service Providers (MSSPs): MSSPs deploying Cisco Firepower devices on behalf of clients may inadvertently expose multiple customers.
- Global reach: The attack campaign is not geographically limited, affecting organizations worldwide that have not applied the necessary patches.
What to do now
- Immediate patching: Apply Cisco’s latest security updates for FXOS firmware addressing CVE-2025-20333 and CVE-2025-20362. Cisco released emergency patches in early April 2026.
- Incident response: Conduct thorough forensic analysis on Firepower devices to detect signs of compromise, including unusual network traffic, unknown processes, or unauthorized configuration changes.
- Backdoor detection: Utilize Cisco Talos tools and third-party threat intelligence feeds to scan for indicators of compromise related to the customized backdoor.
- Access review: Audit administrative accounts and credentials associated with Firepower devices to identify unauthorized access.
- Network segmentation: Isolate affected devices from critical network segments until remediation is complete.
How to secure yourself
- Maintain up-to-date firmware: Regularly update all network security appliances with the latest vendor patches.
- Implement multi-factor authentication (MFA): Strengthen access controls for device management interfaces.
- Monitor network traffic: Deploy anomaly detection systems to identify suspicious activities indicative of backdoor communication.
- Restrict management access: Limit access to Firepower management interfaces to trusted IP addresses and secure VPNs.
- Regular vulnerability assessments: Conduct periodic security audits and penetration testing on network infrastructure.
- Incident response preparedness: Develop and rehearse playbooks specifically for network device compromises.
FAQ
What are n-day vulnerabilities?
N-day vulnerabilities are previously disclosed security flaws for which patches exist but have not yet been applied by users, leaving systems exposed to exploitation.
How can I check if my Cisco Firepower device is vulnerable?
Verify your FXOS firmware version against Cisco’s published advisories for CVE-2025-20333 and CVE-2025-20362. Use Cisco’s diagnostic tools or consult your network security team.
What signs indicate my Firepower device might be compromised?
Look for unusual network traffic, unexpected configuration changes, unknown running processes, or alerts from intrusion detection systems.
Can the backdoor deployed by UAT-4356 be removed?
Yes, but it requires comprehensive incident response measures including patching, device reimaging, credential resets, and network monitoring to ensure complete eradication.
Is this attack limited to Cisco Firepower devices?
Currently, exploitation is confirmed only on Cisco Firepower FXOS devices, but similar tactics could target other network hardware if vulnerabilities exist.
How often should I update my network security devices?
Firmware and software should be updated as soon as critical patches are released. Regularly schedule maintenance windows for security updates.
What is the risk of ignoring these vulnerabilities?
Ignoring these vulnerabilities can lead to unauthorized access, data exfiltration, network disruption, and long-term espionage within your organization.
Are there any tools to detect the UAT-4356 backdoor?
Cisco Talos and other cybersecurity vendors provide detection signatures and tools. Consult official advisories and threat intelligence platforms.
How does this incident impact overall network security strategy?
It highlights the importance of layered defense, continuous monitoring, and rapid patch management to defend against advanced persistent threats.
Why this matters
Cisco Firepower devices are cornerstone components in many enterprise and government network defenses. The exploitation of n-day vulnerabilities by a sophisticated espionage group threatens the confidentiality, integrity, and availability of critical networks. Successful intrusions can lead to sensitive data theft, operational disruptions, and erosion of trust in network security infrastructure. This incident exemplifies the dangers of delayed patching and the evolving tactics of nation-state actors targeting foundational cybersecurity assets.
Sources and corroboration
This article synthesizes information from multiple corroborated sources, primarily the detailed disclosure by Cisco Talos and reporting by CybersecurityNews.com dated April 25, 2026. Additional insights are drawn from Cisco’s official security advisories and independent threat intelligence analyses.
- https://cybersecuritynews.com/hackers-exploiting-cisco-firepower-devices-using-n-day-vulnerabilities/
- Cisco Talos official advisories (April 2026)
- Cisco security patch release notes for FXOS firmware
Sources used for this article
scmagazine.com, cybersecuritynews.com
