Cisco ASA Pre-Auth RCE Chain (CVE-2025-20333 + CVE-2025-20362) Joined CISA KEV On May 13. We Named ArcaneDoor / UAT4356 On The Same Platform On March 17. That's A 57-Day Lead.

CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web Server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) that allows for remote code execution. CVE-2025-20362 is a missing authorization vulnerability in the same VPN Web Server. CISA's own description says the two can be chained.

Chained, they are a pre-authentication remote code execution on a perimeter VPN appliance. ASA / FTD is the box at the edge of most enterprise networks. The VPN Web Server is the surface that an external attacker can reach without credentials. Buffer overflow plus missing authorization on that surface is the worst-shape vulnerability that exists for a firewall product.

The reason this post exists is a receipt.

What we said on March 17

On March 17, 2026, we published "Your Cisco ASA Is Getting Popped Right Now. Here's How to Block It in 5 Minutes." The post opened with the line that Cisco had just dropped ERP-75736 with 25 advisories and 48 vulnerabilities across ASA, FMC, and FTD, two of them rated CVSS 10.0 for unauthenticated root access to the firewall management console. It named the state-sponsored actor by every alias we had — UAT4356 / ArcaneDoor / Storm-1849 — and the date the campaign began: September 2025. It cited CISA Emergency Directive ED 25-03 against ASA zero-days. It gave defenders the indicator list to load into OPNsense, Zscaler, Splunk ES, Palo Alto, and Cisco ISE in 5 minutes.

The next day, March 18, we published the follow-up: "Interlock Ransomware Confirms It: Your Cisco FMC Was a Zero-Day Since January." Amazon Threat Intelligence had attributed the active exploitation to the Interlock ransomware operation, which had been exploiting CVE-2026-20131 as a zero-day since January 26, 2026 — six weeks before Cisco disclosed it.

That is the prior coverage. It is dated, indexed, and at the URL it has carried since.

What CISA confirmed on May 13

The May 13 KEV addition is not the same CVE we wrote about in March. CVE-2025-20333 and CVE-2025-20362 are new identifiers in the same ASA / FTD platform — different specific bugs, same surface, same trust boundary. CISA gating a CVE onto KEV means active exploitation evidence has been verified. By the time a CVE is on KEV, it is being used in the wild.

The exploit-harvester pipeline that watches GitHub for proof-of-concept code already picked up at least one repository targeting one of the related Cisco Catalyst SD-WAN CVEs (fevar54/CVE-2026-20224-XXE-Injection-en-Cisco-Catalyst-SD-WAN-Manager) and emitted detection rules to our iocs index. The pattern is repeatable: ASA / FTD platforms have a steady cadence of new CVEs disclosed, public PoCs land within days, KEV listings follow within weeks.

The lead time

March 17, 2026 — we wrote about Cisco ASA being actively exploited and named the actor.

May 13, 2026 — CISA KEV'd the next pre-auth RCE chain in the same ASA / FTD platform.

57 days.

Same gear. Same trust boundary. Same actor family targeting it.

If you pulled our STIX feed on March 17 and routed the indicators into your edge stack on the same afternoon, your environment had attributable ASA-exploitation infrastructure on the block list for 57 days before the federal patch deadline gating the next chain even started counting. The block worked the day we published it. The actor list was already on the wire.

Why ASA / FTD specifically

Cisco ASA and Firepower Threat Defense are the dominant North American enterprise perimeter firewall by deployed count. They terminate site-to-site IPsec, route VPN for remote workers, and increasingly run the entire perimeter-trust enforcement layer for organizations that bought into Cisco's stack a decade ago. A pre-auth RCE on the VPN Web Server of these devices is not "a vulnerability." It is the worst-shape vulnerability — the device exists to enforce the trust boundary, and the trust boundary collapses if an unauthenticated attacker can execute code on the device itself.

The ArcaneDoor / UAT4356 / Storm-1849 actor family has been documented exploiting ASA zero-days since at least September 2025. CISA's Emergency Directive ED 25-03 is the federal civilian agency response to that activity. The Interlock ransomware operation has been observed using these same platforms as initial-access vectors. The May 13 KEV additions extend the exploitation surface — they do not start it.

What to do today

If you operate Cisco ASA, Firepower Threat Defense, or any Secure Firewall product, patch CVE-2025-20333 and CVE-2025-20362. The Cisco PSIRT advisory tied to these IDs names the fixed software versions. Apply them, reboot the device, confirm the build.

If you cannot patch in the same business day, the VPN Web Server is the surface to restrict. Disable external access to the management interface, or restrict it to a small management VLAN, until the patch lands. The VPN data plane (IPsec tunnel termination) can remain reachable for end users — the Web Server is a separate surface and is the one that needs to come off the public internet.

Audit recent administrator activity on every ASA / FTD device in your estate. Look for sessions originating from source IPs outside your normal admin pool, logins outside business hours, and any device configuration changes you cannot tie to a change ticket. Cisco ASA logs anomalous activity if syslog is wired correctly — which it often is not.

If you find evidence of compromise, treat the device as fully owned. Rotate every credential the device touched: IPsec PSKs, SSL VPN certificates, RADIUS shared secrets, TACACS+ keys, SNMP community strings, NTP authentication keys, every administrator account, every API token. The device sits at the trust anchor of your perimeter; once that anchor is in question, the cleanup surface is most of your perimeter.

Where we sit

The DugganUSA archive carries the March 17 receipt at its original URL, indexed. The STIX feed carries the indicator list tied to ArcaneDoor / UAT4356. The May 13 KEV additions extend the platform's exploitation history that we have been tracking publicly for two months.

If you pulled the feed in March, you were ahead of this. If you did not, the registration link is the same as always — analytics dot dugganusa dot com slash stix slash register. Thirty seconds, Bearer key issued immediately, free tier for individual researchers, paid tier for production-scale ingest.

The product is the lead time. The proof is the date math. March 17 to May 13 is 57 days. Subtract.

What we do not claim

We do not claim that CVE-2025-20333 and CVE-2025-20362 were specifically named in our March 17 post. They were not. The post named the platform (ASA / FTD), the actor (UAT4356 / ArcaneDoor / Storm-1849), and the active exploitation pattern that has continued unbroken since September 2025. The May 13 KEV additions are the next chain on the same platform under the same exploitation pressure we documented. The receipt is structural, not per-CVE.

We cap at 95%. Murphy is an optimist. The 5% we ship that turns out to be wrong is part of the price of being right early.

Sources: DugganUSA blog post "Your Cisco ASA Is Getting Popped Right Now. Here's How to Block It in 5 Minutes." published 2026-03-17. DugganUSA blog post "Interlock Ransomware Confirms It: Your Cisco FMC Was a Zero-Day Since January" published 2026-03-18. CISA Known Exploited Vulnerabilities Catalog entries for CVE-2025-20333 and CVE-2025-20362, added 2026-05-13. Cisco ERP-75736 advisory bundle, March 4, 2026. CISA Emergency Directive ED 25-03 (Cisco ASA zero-days). Amazon Threat Intelligence attribution of Interlock ransomware to CVE-2026-20131 exploitation since January 26, 2026.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.