The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive in response to the active exploitation of two critical zero-day vulnerabilities—CVE-2025-20333 and CVE-2025-20362—affecting Cisco Adaptive Security Appliances (ASA) and select Firepower platforms. These vulnerabilities enable unauthenticated remote code execution and privilege escalation, allowing threat actors to modify read-only memory (ROM) for persistence through system reboots and software upgrades.
Background on the Vulnerabilities
CVE-2025-20333 is a critical vulnerability with a CVSS score of 9.8, allowing remote code execution on vulnerable ASAs. CVE-2025-20362, rated with a CVSS score of 7.2, permits privilege escalation to root-level access. Exploitation of these vulnerabilities poses a significant risk to federal information systems and critical infrastructure.
Connection to ArcaneDoor Campaign
CISA has linked this exploitation campaign to the ArcaneDoor activity first identified in early 2024. During this campaign, adversaries demonstrated the capability to manipulate ASA ROM as early as 2024. By exploiting zero-day vulnerabilities in ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300 devices, attackers achieve unauthenticated remote code execution. Notably, while Secure Boot on Firepower Threat Defense (FTD) appliances detects ROM manipulation, ASAs lack this protection, making them prime targets.
CISA’s Emergency Directive
In response to these active threats, CISA has mandated immediate actions for all federal agencies:
1. Identification and Forensic Analysis: Agencies must identify all public-facing ASA hardware and perform CISA’s Core Dump and Hunt Instructions Parts 1–3. Core dumps should be submitted via the Malware Next Gen portal by September 26, 2025, 11:59 PM EDT.
2. Incident Response: If a compromise is detected, agencies are instructed to disconnect (but not power off) the affected devices, report to CISA, and coordinate incident response efforts.
3. Software Updates and Decommissioning: Agencies must permanently disconnect ASA hardware that reached end-of-support on or before September 30, 2025. For devices remaining in service, agencies are required to download and apply the latest Cisco updates for ASA hardware models supported through August 31, 2026, and for all ASAv and FTD appliances by September 26, 2025.
4. Reporting: By October 2, 2025, 11:59 PM EDT, agencies must submit a complete inventory and action report to CISA using the provided template.
These measures apply to all federal information systems, including those hosted by third-party providers, regardless of their FedRAMP authorization status. Agencies are responsible for maintaining inventories and ensuring compliance. CISA will report cross-agency status and outstanding issues to senior leadership by February 1, 2026.
Implications for Organizations
While the Emergency Directive specifically targets federal agencies, the vulnerabilities in question affect a broad range of organizations using Cisco ASA and Firepower devices. Therefore, it is imperative for all organizations to take the following actions:
– Immediate Patching: Apply the latest security updates provided by Cisco to mitigate the identified vulnerabilities.
– System Audits: Conduct thorough audits to identify any signs of compromise or unauthorized access.
– Incident Response Planning: Develop and test incident response plans to ensure swift action in the event of a security breach.
– Network Monitoring: Implement continuous monitoring of network traffic to detect and respond to suspicious activities promptly.
Conclusion
The active exploitation of these zero-day vulnerabilities underscores the evolving threat landscape and the need for proactive cybersecurity measures. Organizations must remain vigilant, apply necessary patches, and adhere to best practices to safeguard their systems against sophisticated cyber threats.
