CISA issued an emergency directive ordering US federal agencies to urgently patch two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in **Cisco Adaptive Security Appliances (ASA) and Firepower firewalls**. The flaws—enabling **remote code execution (RCE)** and **privilege escalation**—were linked to a **state-sponsored threat actor** (same group behind the 2023–2024 *ArcaneDoor* campaign). The attacker deployed **custom malware** to disable logging, prevent forensic analysis, and install a persistent backdoor by modifying the **ROMMON bootloader**. Despite repeated warnings, over **32,000 unpatched internet-facing devices** remained exposed as of October 2025, risking **full system compromise, lateral movement across networks, and potential data exfiltration**. CISA mandated immediate firmware updates or decommissioning of legacy devices, emphasizing that even **non-public-facing appliances** were at risk. The vulnerabilities’ exploitation could grant attackers **unrestricted access to critical infrastructure**, enabling espionage, disruption of government services, or further attacks on interconnected systems. The directive also expanded to include three additional actively exploited flaws in the **KEV catalog**, underscoring the escalating threat to federal networks.
Source: https://www.helpnetsecurity.com/2025/11/13/cisa-directive-cve-2025-20333-cve-2025-20362/
Cisco Talos cybersecurity rating report: https://www.rankiteo.com/company/cisco-talos-intelligence-group
"id": "CIS5692656111325",
"linkid": "cisco-talos-intelligence-group",
"type": "Vulnerability",
"date": "6/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'Agencies',
'type': 'Government'},
{'location': 'Global (predominantly US)',
'name': 'Organizations using Cisco ASA/Firepower '
'appliances',
'type': ['Government', 'Private Sector']}],
'attack_vector': ['Remote Code Execution (RCE)',
'Privilege Escalation',
'Custom Malware (Backdoor Persistence)',
'ROMMON Modification'],
'customer_advisories': ['Cisco PSIRT advisories',
'Public warnings via CISA KEV catalog'],
'data_breach': {'data_exfiltration': 'Potential (via custom backdoor)'},
'date_detected': '2025-01-01',
'date_publicly_disclosed': '2025-09-25',
'description': 'CISA has ordered US federal agencies to address two actively '
'exploited zero-day vulnerabilities (CVE-2025-20333, '
'CVE-2025-20362) in Cisco Adaptive Security Appliances (ASA) '
'and Firepower firewalls. The vulnerabilities, allowing remote '
'code execution (CVE-2025-20333) and privilege escalation '
'(CVE-2025-20362), are linked to a state-sponsored threat '
'actor responsible for the 2023–2024 ArcaneDoor campaign. '
'Despite patches, ~32,000 unpatched internet-facing appliances '
'remain vulnerable. CISA mandates firmware updates for all '
'devices (including non-public-facing) and decommissioning of '
'legacy/unsupported systems. Additional vulnerabilities '
'(CVE-2025-12480, CVE-2025-62215, CVE-2025-9242) were also '
'added to CISA’s KEV catalog with a December 3, 2025, '
'remediation deadline.',
'impact': {'brand_reputation_impact': ['Potential reputational damage to US '
'federal agencies',
'Erosion of public trust in '
'cybersecurity posture'],
'operational_impact': ['Potential disruption of federal agency '
'networks',
'Risk of persistent backdoor access'],
'systems_affected': '~32,000 unpatched internet-facing Cisco '
'ASA/Firepower appliances (down from ~48,000)'},
'initial_access_broker': {'backdoors_established': ['Custom ROMMON backdoor',
'Logging disablement',
'Crash dump prevention'],
'entry_point': ['Unpatched Cisco ASA/Firepower '
'appliances (internet-facing and '
'internal)',
'Zero-day vulnerabilities '
'(CVE-2025-20333, CVE-2025-20362)'],
'high_value_targets': ['US federal agency networks',
'Sensitive government data']},
'investigation_status': 'Ongoing (CISA tracking active exploitation; '
'remediation deadline: 2025-12-03)',
'lessons_learned': ['Incomplete patching (e.g., updating to still-vulnerable '
'versions) undermines mitigation efforts.',
'Legacy/unsupported devices pose significant risks and '
'must be decommissioned.',
'State-sponsored actors leverage zero-days for long-term '
'persistence (e.g., ROMMON backdoors).',
'Public-facing appliances are not the only attack '
'surface; internal devices must also be patched.'],
'motivation': ['Espionage', 'Persistence', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Mandatory firmware '
'validation against CISA’s '
'approved versions',
'Accelerated '
'decommissioning of '
'end-of-life hardware',
'Enhanced supply chain risk '
'management for network '
'devices',
'Expanded threat hunting '
'for ROMMON-based '
'persistence mechanisms'],
'root_causes': ['Failure to apply comprehensive '
'patches (e.g., updating to '
'intermediate vulnerable versions)',
'Persistence of legacy/unsupported '
'devices in critical networks',
'Insufficient validation of patch '
'effectiveness',
'State-sponsored actor’s use of '
'zero-days with custom malware for '
'stealth']},
'recommendations': ['Verify firmware versions against CISA’s mitigation '
'guidance to ensure *fully* patched status.',
'Prioritize replacement of end-of-life Cisco '
'ASA/Firepower devices.',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance logging and monitoring for signs of ROMMON '
'tampering or custom malware.',
'Conduct regular audits of internet-facing assets for '
'unpatched vulnerabilities.'],
'references': [{'date_accessed': '2025-09-25',
'source': 'CISA Emergency Directive 25-03',
'url': 'https://www.cisa.gov/news-events/directives/emergency-directive-25-03'},
{'date_accessed': '2025-09-25',
'source': 'Cisco Security Advisory (CVE-2025-20333, '
'CVE-2025-20362)',
'url': 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-firepower-rce-privesc-XXXXX'},
{'date_accessed': '2025-10-01',
'source': 'Shadowserver Foundation Report (Unpatched '
'Appliances)',
'url': 'https://www.shadowserver.org/news/ongoing-cisco-asa-firepower-exploitation/'},
{'date_accessed': '2024-04-15',
'source': 'ArcaneDoor Campaign Analysis (2023–2024)',
'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-100a'}],
'regulatory_compliance': {'regulations_violated': ['CISA Emergency Directive '
'25-03 (non-compliance)',
'FISMA (potential)'],
'regulatory_notifications': ['CISA KEV catalog '
'updates',
'Mandatory reporting '
'for FCEB agencies']},
'response': {'communication_strategy': ['CISA Emergency Directive 25-03 '
'(2025-09-25)',
'Public advisories',
'Stakeholder notifications'],
'containment_measures': ['Firmware updates to patched versions',
'Decommissioning of legacy/unsupported '
'devices',
'Network segmentation (implied)'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': True,
'remediation_measures': ['Mandatory patching by December 3, 2025',
'Replacement of unsupported hardware',
'CISA follow-ups with non-compliant '
'agencies'],
'third_party_assistance': ['Shadowserver Foundation (threat '
'detection)',
'Cisco (patch guidance)']},
'stakeholder_advisories': ['CISA directives',
'Cisco customer notifications',
'Federal agency internal briefings'],
'threat_actor': 'State-sponsored actor (linked to 2023–2024 ArcaneDoor '
'campaign)',
'title': 'Active Exploitation of Cisco ASA and Firepower Firewall '
'Vulnerabilities (CVE-2025-20333, CVE-2025-20362)',
'type': ['Vulnerability Exploitation',
'Zero-Day Attack',
'State-Sponsored Cyber Espionage'],
'vulnerability_exploited': ['CVE-2025-20333 (Cisco ASA/Firepower - RCE)',
'CVE-2025-20362 (Cisco ASA/Firepower - Privilege '
'Escalation)']}