TR-85 - Three vulnerabilities in Cisco ASA software/appliance and FTD software being exploited

TR-85 - Three vulnerabilities in Cisco ASA software/appliance and FTD software being exploited

Back to Publications and Presentations

  1. Fixes
  2. Detection and investigative assessment
  3. Known affected software
  4. References
  5. Classification of this document
  6. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Three vulnerabilities (CVE-2024-20359, CVE-2024-20358, and CVE-2024-20353) in Cisco ASA (Adaptive Security Appliance) software/appliance and FTD (Firepower Threat Defense) software have been discovered and published by Cisco as being actively exploited.


Cisco provides software updates known as SSU (Security Software Update). We strongly recommend users update to the latest version and conduct further investigations as suggested below for signs of compromise.

Detection and investigative assessment

We strongly recommend users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.

Talos Intelligence has shared some indicators for conducting investigative assessments, such as IP addresses. These can be useful if you have active monitoring of network flow within your infrastructure. CIRCL released a MISP event available in the CIRCL MISP OSINT feed with the ArcaneDoor indicators.

Exploited vulnerabilities (with the current knowledge of the exploitation) can be detected by examining the executable memory region of the appliance using the command show memory region | include lina. If more than one region has r-xp permissions, it is a sign of potential compromise. It is also not recommended to collect a core dump or reboot the appliance if there is a sign of compromise.

Known affected software

These three vulnerabilities affect Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software. No specific configuration is required. Cisco releases Security Software Updates (SSU) at no cost. If you are unsure about the actual version of the software, we recommend using the Cisco Software Checker.


Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 - TLP:CLEAR - First version - 25th April 2024