From edge firewalls to business-critical applications and web browsers, attackers are actively exploiting zero-day vulnerabilities across the digital ecosystem. This week, three high-severity threats have surfaced, exposing core systems to remote code execution and full compromise. Organizations must act quickly to mitigate these risks and secure exposed infrastructure.
In this roundup, we break down the most pressing vulnerabilities affecting the Cisco ASA and Firepower Threat Defense (FTD) firewalls, the Oracle E-Business Suite (EBS), and the Google Chrome web browser. Read on for detailed analysis, mitigation guidance, and expert insights to help your organization respond effectively.
Cisco Firewall Zero-Days Widen Attack Surface on ~50K Devices
Two zero-day vulnerabilities—CVE‑2025‑20333 and CVE‑2025‑20362—are being actively exploited in Cisco ASA and FTD firewall appliances. According to Cisco Talos and Unit 42, the attack chain uses an authentication bypass and buffer overflow to enable unauthenticated remote code execution (RCE). Once inside, attackers deploy custom malware—RayInitiator and LINE VIPER—to establish persistent access. These implants can survive reboots, tamper with system firmware (ROMMON), and disable logs to avoid detection.
Shadowserver scans have identified nearly 50,000 exposed systems, with high concentrations in the U.S., Germany, and the U.K. In response, CISA issued Emergency Directive 25‑03, instructing federal agencies to isolate or patch vulnerable devices within 24 hours. The campaign is linked to UAT4356 (aka ArcaneDoor)—a state-sponsored threat actor known for targeting edge infrastructure.
Digging deeper into the technical makeup of this campaign, CVE‑2025‑20333 is an authentication bypass that allows remote actors to access the device management interface without credentials. When paired with CVE‑2025‑20362—a stack-based buffer overflow vulnerability in the VPN component—it enables RCE as root. This powerful combination lets attackers load memory-resident malware that modifies GRUB bootloaders and the ROMMON firmware environment, effectively persisting across reboots and rendering traditional patching ineffective.
RayInitiator acts as a backdoor capable of executing arbitrary shell commands, while LINE VIPER facilitates covert communications and disables security logs. Indicators of compromise (IOCs) include unusual reboots, altered SNMP configurations, and undocumented ROMMON variables. To defend against these threats, Cisco recommends disabling unnecessary SSL VPN services, enforcing strict access control lists (ACLs), and applying updates or temporary workarounds. According to Unit 42, the campaign initially focused on government networks in Q2 2025 before expanding to the broader enterprise sector.
Oracle E-Business Suite 0-Day Allows Full Control of ERP Systems
A newly discovered zero-day vulnerability, CVE‑2025‑61882, impacts Oracle E-Business Suite (EBS) versions 12.2.3-12.2.14. This exploit chain, disclosed by ERPScan, uses deserialization and path traversal bugs to achieve unauthenticated RCE. Attackers can gain full control over financial, HR, and supply chain systems—posing a significant threat to enterprise operations.
Oracle EBS remains widely deployed across global enterprises, making this vulnerability especially concerning. Organizations are urged to act now to prevent exploitation.
Mitigating this vulnerability requires immediate and deliberate action. Organizations should begin by restricting all external access to Oracle EBS interfaces, especially public-facing endpoints that could be leveraged in unauthenticated attacks. In the absence of an official patch from Oracle, virtual patching through Web Application Firewalls (WAFs) offers a vital layer of defense by filtering malicious payloads before they reach application components. It’s equally important to implement rigorous monitoring procedures across ERP infrastructure. This includes scanning for abnormal login attempts, privilege escalation activity, or irregular API requests that could indicate exploitation.
Additionally, organizations should consider segmenting Oracle EBS systems from less secure network zones and enforcing strict role-based access controls to reduce internal attack surface. Review data flows and authentication mechanisms across integrated enterprise apps to ensure the EBS platform remains secure. Although these steps help reduce immediate risk, follow them with a full-scale vulnerability assessment to identify any hidden gaps. RSI Security offers tailored ERP assessments to identify weaknesses, evaluate exposure, and prioritize remediation strategies. Now is the time to act—before adversaries capitalize on this exploit in the wild.
Google Chrome Zero-Day Exploit Allows Full System Takeover
Google recently patched a high-severity zero-day vulnerability in Chrome, affecting Windows, macOS, and Linux systems. This type confusion bug in Chrome’s V8 JavaScript engine allows attackers to execute arbitrary code simply by luring users to a malicious webpage.
The vulnerability requires no additional user interaction beyond loading the page, making it ideal for drive-by attacks and malware delivery. Google confirmed active exploitation in the wild, urging all users to update Chrome to version 117.0.5938.92 or higher.
To reduce exposure, organizations should first ensure all devices running Google Chrome are updated to version 117.0.5938.92 or later. This version contains the necessary patch to mitigate the actively exploited zero-day vulnerability. Enterprise patch management tools should update all systems—employee laptops, virtual machines, and mobile endpoints—to ensure complete coverage. Enabling automatic updates also plays a critical role in maintaining protection by applying future security fixes promptly.
Beyond patching, organizations should adopt layered browser defenses by deploying DNS filtering tools that block access to known malicious domains and prevent phishing redirects. Endpoint detection and response (EDR) platforms should be configured to monitor Chrome-specific behavior, flagging any unexpected or unauthorized code execution. Additionally, security teams should review Chrome extension usage policies to minimize the risk of third-party code introducing vulnerabilities. These combined efforts will help organizations stay ahead of active exploits targeting the browser attack surface.
Need patch guidance? RSI Security offers full-service patch management to help you deploy updates quickly and stay protected against active threats.
What These Zero-Days Reveal About Your Cyber Risk Surface
These zero-day vulnerabilities underscore the speed at which attackers can pivot across the enterprise attack surface—from network perimeter to endpoint and application layer. While some vendors have released fixes, others remain in the remediation process—making layered defense and proactive monitoring essential.
RSI Security helps organizations identify vulnerabilities, implement virtual patching, and optimize response strategies. If your organization needs support prioritizing these threats or developing long-term mitigation plans, we’re here to help. Contact RSI Security today to strengthen your defenses and stay ahead of the evolving threat landscape.
Request a complimentary consultation: