CISA Orders Agencies to Mitigate Cisco ASA Zero-Day Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive (ED) 25-03 in response to active exploitation of zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. The vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, pose a severe risk to federal networks and require immediate mitigation.

Background: Widespread Exploitation Campaign

CISA confirmed an ongoing campaign by a state-sponsored threat actor exploiting Cisco ASA zero-days to gain unauthenticated remote code execution and persist through read-only memory (ROM) manipulation, even after reboots and upgrades. This campaign has been linked to the ArcaneDoor activity first identified in 2024, which demonstrated advanced firmware tampering techniques.

According to CISA, the affected vulnerabilities include:

• CVE-2025-20333 – Remote Code Execution (RCE)
• CVE-2025-20362 – Privilege Escalation

These flaws represent an “unacceptable risk” to federal information systems.

Required Actions Under ED 25-03

Federal agencies must take immediate steps outlined by CISA, including:

1. Identify All Devices
   Agencies must inventory all Cisco ASA platforms (hardware, ASA Service Module, ASAv, and ASA firmware on Firepower 2100/4100/9300) and Cisco Firepower Threat Defense (FTD) appliances.
2. Conduct Forensic Analysis
   • Follow CISA’s Core Dump and Hunt Instructions and submit results via the Malware Next Gen portal by September 26, 2025. If compromise is detected, disconnect (but do not power off) the device and report to CISA for coordinated incident response.
3. Apply Security Updates
   – End-of-support ASA devices (EOS by September 30, 2025): Permanently disconnect from networks.
   – Supported ASA hardware (EOS August 31, 2026): Apply the latest Cisco-provided updates.
   – ASAv and Firepower FTD: Apply the latest Cisco updates immediately, and install future patches within 48 hours of release.
4. Report Compliance
   By October 2, 2025, agencies must submit a complete inventory and mitigation report to CISA using the provided template.

CISA’s Role and Federal Authority

Under 44 U.S.C. § 3553(h) and 6 U.S.C. § 655(3), the Director of CISA has the authority to issue emergency directives requiring agencies to take lawful actions to mitigate significant threats. Compliance is mandatory for all federal civilian executive branch agencies, though entities outside government are encouraged to follow the same guidance.

CISA will:

• Provide technical assistance to agencies lacking in-house expertise.
• Continue to monitor exploitation campaigns and share indicators of compromise.
• Deliver a cross-agency compliance report to DHS and the Office of Management and Budget by February 1, 2026.

Why This Directive Matters

Cisco ASA appliances are widely used in federal and enterprise environments. The exploitation of ROM persistence techniques represents a major escalation, allowing attackers to survive reboots, upgrades, and common remediation steps. CISA’s directive underscores both the criticality of patch management and the urgency of coordinated federal defense against state-backed actors.