CISA has ordered US federal agencies to fully address two actively exploited vulnerabilities (CVE-2025-20333, CVE-2025-20362) in Cisco Adaptive Security Appliances (ASA) and Firepower firewalls.
“In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in [Emergency Directive 25-03, released on September 25, 2025],” the agency stated on Wednesday.
“CISA is tracking active exploitation of these vulnerable versions in [Federal Civilian Executive Branch] agencies. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity.”
Last week, Cisco updated the two vulnerabilities’ advisories to say that they became aware of a new attack variant leveraging them.
CVE-2025-20333 and CVE-2025-20362
CVE-2025-20333, which allows for remote code execution, and CVE-2025-20362, which makes privilege escalation possible, have been spotted being exploited as zero-days earlier this year.
In late September, CISA and several other cybersecurity agencies warned about the attacks and attributed them to a state-sponsored threat actor that perpetrated the ArcaneDoor attack campaign in 2023 and 2024.
Those attacks also involved the use of zero-day flaws. The threat actor used custom malware to disable logging and prevent the creation of a crash dump, and modified the ROMMON program that runs before the ASA operating system to assure the persistence of a custom backdoor they installed.
Completing the vulnerabilities’ mitigation
The Shadowserver Foundation noted in early October that despite repeated warnings, they could still detect around 48,000 unpatched internet-facing appliances, predominantly in the US. That number has since fallen to a little over 32,000.
All ASA and Firepower devices, not just those that are public-facing, have to be updated to a firmware version that fixes both, CISA pointed out. Legacy/unsupported devices must be decommissioned and swapped with newer, up-to-date ones.
“If CISA has identified an agency with this issue, we will follow up to confirm that these actions have been taken,” the agency added.
The new guidance lists firmware versions required to mitigate both vulnerabilities.
CISA has also added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on the same day and directed US FCEB agencies to address them by December 3, 2025.
Those include:
- CVE-2025-12480, affecting the Gladinet Triofox secure file sharing and remote access platform
- CVE-2025-62215, the Windows Kernel fixed by Microsoft this Patch Tuesday, and
- CVE-2025-9242, a critical pre-auth RCE flaw in WatchGuard’s Firebox network security appliances that’s been patched in September and confirmed to be under active exploitation on October 21.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
