Heroes, It's Friday. We are now including MITRE ATT&CK mappings in STIX bundles. Thanks for your continuing efforts!
Here's a detailed look at the current cybersecurity landscape for September 26, 2025.
Date & Time: 2025-09-26T07:05:43
An advanced threat actor, linked to a campaign dubbed "ArcaneDoor," has been exploiting two zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. These flaws allow for remote code execution and privilege escalation on affected devices, enabling attackers to gain complete control of critical network infrastructure. The attacks specifically target devices lacking secure boot capabilities.
CVE Details: CVE-2025-20333, CVE-2025-20362
Source: SecurityWeek ↗, Tenable ↗
Date & Time: 2025-09-25T12:43:42
A critical zero-day vulnerability is being actively exploited in Cisco IOS and IOS XE software, potentially affecting as many as two million devices. The vulnerability can be triggered remotely to crash devices or execute arbitrary code, posing a significant risk to network stability and security. Cisco has confirmed the flaw is present in all supported versions of the operating systems.
CVE Details: CVE-2025-20352
Source: Ars Technica ↗
Date & Time: 2025-09-25T21:35:36
The widespread, unmanaged use of AI tools by employees, known as "Shadow AI," is creating significant security risks. A recent analysis found that over 80% of sampled organizations showed signs of unapproved AI activity, such as employees uploading sensitive customer or HR data into public AI models. This behavior exposes organizations to potential data leakage, privacy violations, and compliance failures.
CVE Details: n/a
Source: Security Boulevard ↗
Date & Time: 2025-09-25T19:08:08
A U.S. Senate committee report alleges that the company DOGE is operating without sufficient oversight, likely violating federal privacy and security laws. This lack of compliance places the personal information of American citizens at significant risk. The findings highlight growing concerns over corporate accountability in data protection and cybersecurity practices.
CVE Details: n/a
Source: U.S. Senate HSGAC ↗
Date & Time: 2025-09-25T11:00:00
Oracle Field CISO AJ Debole discusses key challenges facing security leaders, including aligning security initiatives with business objectives and preparing for the next wave of AI-driven threats. The interview provides strategic perspective on improving breach readiness and navigating the complex intersection of technology, security, and corporate governance.
Source: Wallarm Labs ↗
Spotlight Rationale: Today's critical intelligence highlights multiple actively exploited zero-day vulnerabilities in core network infrastructure (Cisco ASA/FTD/IOS - CVE-2025-20333, CVE-2025-20362, CVE-2025-20352). This underscores the urgent need for comprehensive vulnerability management and threat detection capabilities to identify and respond to compromised network devices.
Threat Context: Up to 2 Million Cisco Devices Vulnerable to Actively Exploited Zero-Day
Platform Focus: Rapid7 InsightVM (Vulnerability Management) & InsightIDR (XDR/SIEM)
Rapid7's platform directly addresses the risks posed by the Cisco vulnerabilities. InsightVM provides the external and internal scanning capabilities required to identify vulnerable Cisco ASA, FTD, and IOS/IOS XE devices across the enterprise network. Following detection, InsightIDR can be used to monitor these critical assets for signs of post-exploitation activity, such as anomalous outbound connections or lateral movement, which are key indicators of a successful ArcaneDoor campaign intrusion.
1. **InsightVM:** Prioritize authenticated scans against all known Cisco network devices. Use a scan template configured with credentials to enable deep inspection for specific vulnerable software versions related to CVE-2025-20333, CVE-2025-20362, and CVE-2025-20352. Create a dynamic asset group for "Vulnerable Cisco Devices" to track remediation progress.
2. **InsightIDR:** Ingest syslog and NetFlow data from Cisco ASA/FTD devices. Create custom detection rules to alert on suspicious outbound connections from the firewall's management interface to unknown IP addresses. Additionally, monitor for endpoint agent alerts on internal systems that show traffic originating from the firewall, which could indicate lateral movement.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Rapid7
# Rapid7 InsightVM: Vulnerability Scan Configuration
# 1. Navigate to 'Scans' > 'Create Scan' in your InsightVM console.
# 2. Select a full audit template that includes authenticated scanning.
# 3. In the 'Assets' section, target IP ranges or asset groups containing your Cisco devices.
# 4. In the 'Credentials' section, add SSH credentials with sufficient privileges to read system version information from the Cisco devices.
# 5. Under 'Vulnerability Checks', ensure checks for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20352 are enabled.
# 6. Schedule the scan to run immediately and on a recurring basis.
# Rapid7 InsightIDR: Custom Detection Rule
# 1. Navigate to 'Settings' > 'Custom Alerts' > 'Custom Rules'.
# 2. Select 'Create Rule from Log Search'.
# 3. Use the following LEQL query to detect suspicious firewall management traffic:
# where(log_name="Cisco ASA Syslog" AND source_address IN [firewall_mgmt_ips] AND direction="outbound" AND NOT destination_address IN [known_good_ips])
# 4. Configure the rule to generate a 'High' severity alert.2. YARA Rule for ArcaneDoor Implant
rule Cisco_ArcaneDoor_Backdoor_Initial {
meta:
description = "Detects potential artifacts associated with the ArcaneDoor backdoor on Cisco devices."
author = "Threat Rundown"
date = "2025-09-26"
reference = "https://www.securityweek.com/?p=43746"
severity = "high"
tlp = "white"
strings:
$s1 = "LineRunner-2.0"
$s2 = "/var/run/arcane.pid"
$s3 = "cli_exec_hook_enable"
condition:
uint32(0) == 0x464c457f and 1 of ($s*)
}3. SIEM Query — Suspicious Outbound Connections from Cisco ASA/FTD
index=firewall sourcetype=cisco:asa OR sourcetype=cisco:ftd
| search action=allowed
| iplocation src_ip
// Filter for traffic originating from the firewall's own interfaces
| where match(src_ip, "|")
// Exclude known management destinations (e.g., syslog, NTP, vendor updates)
| where NOT (dest_ip IN (, ))
| stats count by _time, src_ip, dest_ip, dest_port, Country
| where Country != "United States" // Example: filter for unexpected geo-locations
| sort -_time 4. PowerShell Script — Host-Based Check for Post-Compromise Activity
<#
.SYNOPSIS
Checks for suspicious network connections that could indicate lateral movement from a compromised network device.
#>
$firewall_ips = @("192.168.1.1", "10.0.0.1") # Add your firewall management IPs
Write-Host "[*] Searching for active connections from firewall IPs..."
# Get established TCP connections
$connections = Get-NetTCPConnection -State Established
foreach ($conn in $connections) {
if ($firewall_ips -contains $conn.RemoteAddress) {
Write-Warning ("[!] Suspicious established connection found from firewall IP: " + $conn.RemoteAddress)
$process = Get-Process -Id $conn.OwningProcess
Write-Host (" Local Port: " + $conn.LocalPort)
Write-Host (" Remote Address: " + $conn.RemoteAddress + ":" + $conn.RemotePort)
Write-Host (" Owning Process: " + $process.ProcessName + " (PID: " + $process.Id + ")")
Write-Host (" Process Path: " + $process.Path)
Write-Host "-" * 20
}
}
Write-Host "[*] Check complete."
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!