CISA has issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog.
CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.
The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately. Agencies must:
- Identify all instances of Cisco ASA and Cisco Firepower devices in operation (all versions).
- Collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST Sept. 26.
For detailed guidance, including additional actions tailored to each agency’s status, refer to the full Emergency Directive ED 25-03.
The original announcement can be found here.
