CISA warned U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices.
Tracked as CVE-2025-20362 and CVE-2025-20333, these security flaws allow remote threat actors to access restricted URL endpoints without authentication and gain code execution on vulnerable Cisco firewall devices, respectively. If chained, they can enable unauthenticated attackers to gain complete control of unpatched devices remotely.
When it patched the two flaws in September, Cisco cautioned customers that they had been exploited as zero-days in attacks targeting 5500-X Series devices with VPN web services enabled. The company also linked these attacks to the ArcaneDoor campaign, which has exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks since November 2023.
The same day, CISA issued Emergency Directive 25-03, ordering U.S. federal agencies to secure their Cisco firewall devices within 24 hours against active exploitation of CVE-2025-20362 and CVE-2025-20333.
Internet monitoring platform Shadowserver currently tracks over 30,000 Cisco devices vulnerable to these attacks, down from more than 45,000 when it first began tracking the two vulnerabilities in early October.
Some federal agencies failed to fully patch flaws
However, as the cybersecurity agency warned today, some government agencies have failed to correctly patch vulnerable devices, leaving them exposed to attacks amid ongoing attacks targeting unpatched Cisco firewalls on networks belonging to Federal Civilian Executive Branch (FCEB) agencies.
“CISA is aware of multiple organizations that believed they had applied the necessary updates but had not in fact updated to the minimum software version. CISA recommends all organizations verify the correct updates are applied,” CISA said.
“In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. CISA is tracking active exploitation of these vulnerable versions in FCEB agencies,” it added.
To address this issue, CISA has released new guidance to help federal agencies secure their network against attacks chaining the CVE-2025-20362 and CVE-2025-20333 flaws.
It also reminded that Emergency Directive 25-03 requires agencies to apply the latest patch to all ASA and Firepower devices on their networks immediately, not just Internet-exposed devices, to block incoming attacks and mitigate breach risks.
This week, CISA also ordered U.S. federal agencies to patch Samsung devices against a critical vulnerability used in zero-day attacks to deploy LandFall spyware on devices running WhatsApp and secure WatchGuard Firebox firewalls against an actively exploited remote code execution vulnerability.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.