CISA has issued an Emergency Directive mandating immediate action to mitigate two critical zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, actively exploited against Cisco Adaptive Security Appliances (ASA) and select Firepower platforms.
The vulnerabilities allow unauthenticated remote code execution and privilege escalation, enabling advanced threat actors to modify read-only memory (ROM) for persistence through reboot and system upgrades.
Exploit Cisco ASA Hardware Zero-Days
CISA links this campaign to the ArcaneDoor activity first identified in early 2024, during which adversaries demonstrated the capability to manipulate ASA ROM as early as 2024.
By exploiting zero-days in ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300 devices, attackers achieve unauthenticated remote code execution.
Although Secure Boot on Firepower Threat Defense (FTD) appliances detects ROM manipulation, ASAs lack this protection, making them prime targets.
Cisco has released security updates addressing both vulnerabilities:
- CVE-2025-20333 allows remote code execution on vulnerable ASAs.
- CVE-2025-20362 permits privilege escalation to root-level access.
Failure to remediate poses an unacceptable risk to federal information systems and critical infrastructure.
| CVE Identifier | Title | CVSS 3.1 Score | Severity |
| CVE-2025-20333 | Cisco ASA Remote Code Execution Zero-Day | 9.8 | Critical |
| CVE-2025-20362 | Cisco ASA Privilege Escalation Zero-Day | 7.2 | High |
Emergency Directive
For all public-facing ASA hardware, perform CISA’s Core Dump and Hunt Instructions Parts 1–3 and submit core dumps via the Malware Next Gen portal by September 26, 2025, 11:59 PM EDT.
If “Compromise Detected,” disconnect (but do not power off), report to CISA, and coordinate incident response. If “No Compromise Detected,” proceed to software updates or device decommissioning.
Permanently disconnect ASA hardware with end-of-support on or before September 30, 2025. Agencies unable to comply must apply Cisco-provided software updates by September 26 and plan for decommissioning.
Download and apply the latest Cisco updates for ASA hardware models supported through August 31, 2026, and for all ASAv and FTD appliances by September 26, 2025.
By October 2, 2025, 11:59 PM EDT, submit a complete inventory and action report to CISA using the provided template. These measures apply to all federal information systems, including those hosted by third-party providers (FedRAMP-authorized or otherwise).
Agencies remain responsible for maintaining inventories and ensuring compliance. CISA will report cross-agency status and outstanding issues to senior leadership by February 1, 2026.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
