The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-03 in response to an ongoing and severe cybersecurity threat targeting vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. The directive mandates immediate action from all federal civilian executive branch agencies to identify and mitigate potential compromises affecting vulnerable systems.
The directive stems from the discovery of an active exploitation campaign attributed to a sophisticated threat actor. The campaign is leveraging multiple zero-day vulnerabilities in Cisco ASA and Firepower platforms, enabling attackers to execute unauthenticated remote code and modify system ROM to maintain persistence across reboots and system upgrades.
Global Concern Over Cisco ASA Exploits
The cybersecurity threat has triggered responses from multiple international agencies, including:
- CERT-FR (France): Published bulletin CERTFR-2025-ALE-013, confirming active exploitation of CVE-2025-20333 and CVE-2025-20362 in multiple ASA and FTD software versions.
- Australian Cyber Security Centre (ACSC): Issued guidance highlighting exploitation in Cisco ASA 5500-X Series and advised organizations to disable IKEv2 and SSL VPN services as a precaution.
- Canadian Centre for Cyber Security: Warned that sophisticated malware is being deployed globally to target end-of-life Cisco ASA devices, emphasizing the critical need for immediate patching.
These alerts confirm that the vulnerabilities are being actively exploited worldwide and that legacy Cisco devices are at heightened risk.
Decoding CVE-2025-20333 and CVE-2025-20362
Two critical vulnerabilities have been specifically highlighted:
- CVE-2025-20333: Enables remote code execution
- CVE-2025-20362: Allows privilege escalation
According to Cisco, these vulnerabilities are part of a larger threat campaign believed to be linked to ArcaneDoor, an advanced operation first uncovered in early 2024. Cisco’s security assessments suggest that the attackers could alter ASA ROMs since at least that time.
While some Cisco Firepower models include Secure Boot protections that can detect such tampering, many ASA devices remain vulnerable.
Emergency Directive 25-03 is issued under the authority of Section 3553(h) of Title 44, U.S. Code, allowing the Secretary of Homeland Security, or, through delegation, the Director of CISA, to mandate emergency actions for information systems that process or store federal agency data.
These directives are binding for all federal civilian agencies, though they do not apply to national security systems, the Department of Defense, or the Intelligence Community.
Required Agency Actions
U.S. agencies are instructed to immediately identify and assess all Cisco ASA and Firepower Threat Defense (FTD) devices within their networks. This includes ASA hardware, ASA-Service Modules (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100, 4100, and 9300 models.
Key deadlines and requirements include:
- By 11:59 PM EDT on September 26, 2025: Submit core dumps of all public-facing ASA hardware appliances to CISA via the Malware Next Gen portal.
- Disconnect and report any device where a compromise is detected.
- Apply the latest Cisco software updates for ASA, ASAv, and Firepower devices.
- Begin decommissioning end-of-support (EOS) hardware—devices with EOS dates on or before September 30, 2025 must be permanently removed from service.
- For devices with EOS dates of August 31, 2026, agencies must apply all current and future updates within 48 hours of release via the Cisco download portal.
- By 11:59 PM EDT on October 2, 2025: Submit a complete inventory report to CISA, detailing the status and actions taken on all Cisco devices in scope.
- These mandates apply not only to devices directly operated by agencies but also to those in third-party or cloud environments. Agencies are responsible for managing compliance even in FedRAMP-authorized or non-FedRAMP service provider environments.
CISA’s Role and Future Reporting
CISA will provide a standardized reporting template and continue monitoring for additional indicators of compromise. Agencies lacking the technical expertise to meet directive requirements can request CISA technical assistance.
A comprehensive report on the directive’s implementation status will be submitted by February 1, 2026, to the Secretary of Homeland Security, the National Cyber Director, the Office of Management and Budget (OMB), and the Federal Chief Information Security Officer (CISO).
Entities outside the Federal Executive Branch are encouraged to voluntarily follow the same forensic procedures, particularly the core dump and hunt instructions, to determine if they are also affected by vulnerabilities like CVE-2025-20333 and CVE-2025-20362.
