CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs.

Background

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances' Secure Boot would detect the identified manipulation of the ROM.  

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems:

• • CVE-2025-20333 – allows for remote code execution
  • CVE-2025-20362 – allows for privilege escalation

CISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this Directive.

CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign. 

Required Actions:

This Emergency Directive requires agencies to take the following actions:

1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.

For all public-facing Cisco ASA hardware appliances:

2. Follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3 and submit core dump(s) via the Malware Next Gen portal by 11:59PM EDT on September 26, 2025.

a. If the result is “Compromise Detected,” agencies must immediately disconnect the device from their network (but do not power off), report the incident to CISA, and work with CISA on incident response and eviction actions.  

b. If the result is “No Compromise Detected” agencies may proceed to requirement 3 and 4. 

If the result is “No Compromise Detected”:

3. For ASA hardware models with an end of support date on or before September 30, 2025, take the following action:  

a. Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.

b. Agencies that cannot meet this requirement must apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, report to CISA mission critical needs preventing such action and plans for eventual decommissioning of the device as directed by requirement 6.

4. For ASA hardware models with an end of support date of August 31, 2026: Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.  

For all ASAv and Firepower FTD:

5. Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release. 

All agencies, regardless of the results of requirement 2, must:

6. By 11:59 PM EDT on October 2, 2025, report to CISA (using the provided template) a complete inventory of all instances of products within scope on agency networks, including details on actions taken and results.

CISA Actions:

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.

2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.

3. CISA can provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.

4. By February 1, 2026, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Article Information:

Release Date: 25-September-2025

Source: U.S. CISA - https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices