The US Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive ordering federal agencies to identify and patch two vulnerabilities in Cisco Adaptive Security Appliances (ASA).
According to CISA, both vulnerabilities are being actively exploited by an advanced threat actor in a widespread campaign, and they pose an “unacceptable risk” to federal information systems.
The vulnerabilities (CVE-2025-20333 and CVE-2025-20362) enable threat actors to gain unauthenticated remote code execution on ASAs and manipulate Read-Only Memory (ROM) so that the flaws persist through system reboots and upgrades.
According to Cisco, the campaign is connected to the “ArcaneDoor” operation that the company first investigated in April 2024. Since then, it has been used to compromise several federal agencies, two anonymous US officials stated in an interview with Cybersecurity Dive. In May this year, multiple government agencies contacted Cisco for assistance investigating the attacks.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques,” said Cisco. These techniques included disabling logging, intercepting CLI commands, and crashing devices to prevent diagnostic analysis.
Urgent Response Required
In its directive, CISA states that federal agencies must inventory all Cisco ASA and Firepower devices, use CISA-provided tools to assess compromise, disconnect unsupported devices, and upgrade or patch any vulnerable devices that remain in use. Agencies must also submit a complete report of actions taken and the results to CISA by 11:59 PM EDT on October 2nd.
Although directed towards federal agencies, CISA also encourages public and private sector organizations using ASA to review its guidance and take action.
CISA has promised technical support to any agencies lacking the internal resources to comply, and will continue working to identify vulnerable systems, notify partners, and issue further guidance where necessary.
The UK’s National Cyber Security Centre (NCSC) has also called for organizations to “urgently investigate” and patch vulnerable devices, and report any evidence of compromise to the NCSC.
“Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience,” said NCSC Chief Technology Officer, Ollie Whitehouse.
Read More
