Federal civilian agencies must immediately patch critical Cisco firewall vulnerabilities being exploited by an “advanced threat actor.”
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering immediate action.
The vulnerabilities (CVE-2025-20333 and CVE-2025-20362) affect Cisco Adaptive Security Appliances (ASA). One allows remote code execution, the other privilege escalation.
Bad actors have been seen chaining the two. The first carries a severity score of 9.9, the second 6.5. Cisco released patches last Thursday.
Acting CISA Director Madhu Gottumukkala stressed the urgency. “Threat actors can exploit these vulnerabilities with alarming ease, maintain persistence, and gain access to a network,” she said. “The same risks apply to any organizations using these devices. We strongly urge adoption of the Emergency Directive actions.”
Agencies must account for all ASA and Firepower devices, assess compromise using CISA tools, disconnect end-of-support devices, and apply updates. Public-facing ASA hardware needs to follow step-by-step core dump procedures. Compromised devices should stay connected but offline while CISA coordinates eviction and remediation.
Legacy hardware reaching end-of-support must be permanently disconnected by 30 September. Remaining devices must be patched immediately and kept up to date. All agencies must report inventories and actions by 2 October.
CISA will provide technical support, templates, and additional guidance. A cross-agency report is due by 1 February 2026, tracking compliance and outstanding issues.
Agencies that delay risk network compromise. Threat actors are targeting zero-day flaws, manipulating device memory to persist through reboots.
Trust in Perimeter Defenses
“When a critical firewall vulnerability surfaces, it’s a reminder of just how much trust organizations place in perimeter defenses, and how quickly that trust can be undermined,” says David Matalon, CEO at Venn.
“Firewalls are often seen as the first and last line of defense, which makes them a prime target for attackers. Security teams need to patch immediately, but also recognize that patching alone isn’t a strategy. These events highlight why organizations should assume that edge devices can and will be compromised, and why security models must extend beyond the perimeter to protect data at the user and device level.”
Venn says the reality is that in today’s distributed, BYOD-heavy workforces, data often lives outside traditional perimeters. “A layered approach – one that combines timely patching with endpoint controls, data isolation, and least-privilege access – is critical to limiting the blast radius when vulnerabilities inevitably emerge. The message for IT and security leaders is clear: fix the immediate issue, but also invest in resilience so the next zero-day doesn’t put your organization at risk.”
Edge Devices Actively Targeted
Heath Renfrow, Co-Founder and Chief Information Security Officer at Fenix24, adds that CISA doesn’t issue Emergency Directives lightly. ED-25-03 is a clear signal that Cisco ASA/Firepower edge devices are being actively targeted and that exploitation is straightforward enough for an actor to gain persistence and pivot into networks. Two bugs are in play: CVE-2025-20333 (RCE, CVSS 9.9) and CVE-2025-20362 (authorization bypass). In practice, attackers chain them to get unauthenticated code execution on Internet-facing VPN portals—a worst-case scenario for perimeter gear.
Immediate Actions
Renfrow advises all entities, not just federal, should do the following today:
- Identify & account for every ASA/FTD (including any forgotten branch or lab units). If it’s end-of-support, disconnect it.
- Patch immediately to Cisco’s fixed releases and follow Cisco’s “continued attacks” guidance. Do not wait for a maintenance window.
- Assume the edge might already be touched. Pull device tech-support bundles and run compromise assessments using CISA’s procedures; if indicators are found, treat the device as compromised infrastructure (wipe/rebuild from known-good images, not just patch-in-place).
- Reduce attack surface immediately: If you don’t need WebVPN/Clientless SSL VPN, turn it off. Restrict management plane (no Internet-exposed ASDM/SSH/HTTPS; use out-of-band/VPN-only admin). Geo/IP allow-lists and no split-tunnel admin paths.
- Credential & Token Hygiene: Rotate local/admin accounts on the devices, rotate AnyConnect and IdP secrets, and invalidate cached SSO sessions that touched the ASA/FTD.
- Log & Monitor: Enable detailed logging, export to your SIEM, and hunt for anomalous WebVPN requests and config changes around the disclosure window; add IDS/IPS detections from your vendor.
- Compensating controls while patching: Temporary VPN access restrictions (per-user, per-group, per-country). Rate-limit and WAF/CDN in front of portal if feasible. Short-term maintenance banners to discourage portal probing. (These buy time, they don’t fix exposure.)
“Cisco notes that CVE-2025-20333 is authenticated RCE, however, CISA and multiple researchers explain 20362 (auth bypass) lets attackers reach CVE-2025-20333 without creds—that’s why urgency is so high. This activity tracks with sophisticated, state-linked campaigns against perimeter appliances seen this year; edge devices remain prime initial-access targets,” Renfrow adds.
The bottom line, he says, is to treat this like an incident, not a routine patch. Inventory, patch fast, verify, then harden the management surface. If you find evidence of tampering, rebuild and rotate secrets before bringing the device back into service.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.