CISA Urges Federal Agencies to Fully Patch Cisco ASA and Firepower Devices Amid Active Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert emphasizing the necessity for federal agencies to comprehensively patch Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices. This directive comes in response to the active exploitation of two severe vulnerabilities: CVE-2025-20333, which permits remote code execution, and CVE-2025-20362, enabling privilege escalation.
Overview of the Vulnerabilities
CVE-2025-20333 is a remote code execution flaw that allows unauthenticated attackers to execute arbitrary code on affected devices. CVE-2025-20362 is a privilege escalation vulnerability that enables authenticated attackers to gain elevated privileges. Both vulnerabilities pose significant risks to the integrity and security of federal information systems.
Patch Compliance and Challenges
CISA’s analysis of agency compliance reports revealed a concerning trend: numerous devices reported as patched were still operating on outdated software versions susceptible to these vulnerabilities. This discrepancy suggests a misunderstanding of patch requirements or the deployment of incomplete updates.
Mandatory Patch Requirements
To mitigate these risks, CISA mandates that all ASA and Firepower devices, including non-public-facing equipment, be updated to the following minimum software versions:
– ASA Devices:
– 9.12.4.72
– 9.14.4.28
– 9.16.4.85
– 9.18.4.67
– 9.20.4.10
– 9.22.2.14
For ASA versions 9.17 and 9.19, agencies are required to migrate to supported releases.
– Firepower Devices:
– 7.0.8.1
– 7.2.10.2
– 7.4.2.4
– 7.6.2.1
The specific version depends on the current release train of the device.
Emergency Directive 25-03 Compliance
Under Emergency Directive 25-03, agencies are required to deploy patches within 48 hours of their release. For public-facing ASA hardware, agencies must perform CISA’s Core Dump and Hunt procedures and submit findings via the Malware Next Gen portal prior to patching. Non-compliant agencies are obligated to resubmit compliance reports through CyberScope. CISA will directly engage with these agencies to ensure immediate corrective actions are taken.
Implications of Non-Compliance
Failure to adhere to these directives not only jeopardizes the security of federal networks but also undermines the collective effort to safeguard national information infrastructure. CISA’s enforcement actions underscore the critical importance of comprehensive and timely patching strategies across all device categories within federal agencies.
Conclusion
In light of the active exploitation of these vulnerabilities, it is imperative for all federal agencies to review their patch management protocols, ensure full compliance with CISA’s directives, and maintain vigilance against emerging threats. By doing so, agencies can fortify their defenses and contribute to the overall resilience of the nation’s cybersecurity posture.
