Cisco Firewall and VPN Zero Day Attacks: CVE-2025-20333 and CVE-2025-20362

Beginning in May 2025, a China-aligned threat actor (attributed to UAT4356 / Storm-1849) has exploited a suite of zero-day flaws in Cisco’s firewall/VPN web services: CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5) and later CVE-2025-20363 (CVSS 9.0). The adversaries leverage a path-normalization bypass against WebVPN endpoints and a heap overflow in the file-upload handler to escalate from web access to code execution. In many cases, they chain the vulnerabilities: unauthenticated bypass leads to a second-stage exploit, which allows insertion of custom payloads. The campaign demonstrates the ability to survive device reboots and firmware upgrades via strong persistence implants (bootkit-level modifications).

What makes this campaign significant is its emphasis on infrastructure as a target rather than mere transit. The attackers aim not only to extract data or exfiltrate configurations, but to embed themselves deeply within network perimeter gear, turning those devices into enduring footholds. Their tradecraft includes disabling logging, intercepting CLI commands, forcing reboots to thwart forensic capture, and suppressing diagnostics, all of which complicate detection and response. Moreover, their focus appears entrenched: there is little evidence of lateral movement beyond the compromised device, indicating the value they place on persistence in high-value infrastructure.