Emergency Directive 25-03: Addressing Vulnerabilities in Cisco Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently enacted Emergency Directive 25-03 in light of serious cybersecurity threats targeting vulnerabilities found in Cisco Adaptive Security Appliances (ASA) and Firepower devices. This directive calls for immediate action from all federal civilian executive branch agencies to assess and mitigate risks associated with these vulnerable systems.

Understanding the Cybersecurity Threat

CISA’s directive arises from the identification of an ongoing exploitation campaign tied to a highly skilled threat actor. This campaign utilizes various zero-day vulnerabilities in Cisco ASA and Firepower platforms, which allow attackers to execute unauthorized remote code and modify the system’s ROM to maintain control even after reboots or software updates.

Global Reaction to Cisco ASA Exploits

The urgent nature of this threat has prompted responses from multiple international cybersecurity agencies:

• CERT-FR (France): This organization issued bulletin CERTFR-2025-ALE-013, confirming ongoing exploitation of vulnerabilities CVE-2025-20333 and CVE-2025-20362 across numerous ASA and FTD software versions.
• Australian Cyber Security Centre (ACSC): ACSC has advised organizations to disable IKEv2 and SSL VPN services due to exploitation observed in the Cisco ASA 5500-X Series.
• Canadian Centre for Cyber Security: This agency has alerted the public that sophisticated malware is actively targeting end-of-life Cisco ASA devices, underscoring the need for immediate software patching.

These warnings demonstrate that the vulnerabilities are being exploited globally, with legacy Cisco devices facing increased risk.

Key Vulnerabilities: CVE-2025-20333 and CVE-2025-20362

Two critical vulnerabilities have been specifically identified:

• CVE-2025-20333: This vulnerability permits remote code execution, allowing unauthorized users to take over affected devices.
• CVE-2025-20362: This flaw facilitates privilege escalation, granting attackers elevated permissions that can further compromise system security.

According to Cisco, these vulnerabilities are associated with a broader cyber threat campaign believed to be linked to ArcaneDoor, an advanced operation first detected in early 2024. Security assessments indicate that attackers have had the capability to alter ASA ROMs for an extended period, and while some Cisco Firepower models feature Secure Boot protections that can detect such tampering, many ASA devices do not enjoy this level of security.

CISA’s Emergency Directive Powers

Emergency Directive 25-03 is issued based on the authority of Section 3553(h) of Title 44, U.S. Code. This provision permits the Secretary of Homeland Security—or the Director of CISA via delegation—to enforce the implementation of emergency measures for information systems processing or storing federal agency data. While binding for federal civilian agencies, this directive does not extend to national security systems, the Department of Defense, or the Intelligence Community.

Required Actions for U.S. Agencies

All U.S. agencies must promptly identify and assess their Cisco ASA and Firepower Threat Defense (FTD) devices. This includes:

• ASA hardware
• ASA-Service Modules (ASA-SM)
• ASA Virtual (ASAv)
• ASA firmware on Firepower 2100, 4100, and 9300 models

Key deadlines and actions include:

• By September 26, 2025: Submit core dumps of all public-facing ASA appliances to CISA via the Malware Next Gen portal.
• Disconnect and report: Any device found compromised must be disconnected immediately.
• Software updates: Agencies are required to implement the latest Cisco software updates for ASA and Firepower devices.
• Decommissioning of end-of-support devices: Any hardware that has reached its end-of-support date on or before September 30, 2025, must be permanently retired.
• Timely updates: For devices with end-of-support dates of August 31, 2026, agencies must apply all current and future updates within 48 hours of their release.
• By October 2, 2025: Agencies must submit a comprehensive inventory report detailing the status and actions taken on all Cisco devices in scope.

These obligations apply not only to devices directly managed by federal agencies but also to those within third-party or cloud environments. Compliance responsibility extends into FedRAMP-authorized settings.

CISA’s Role Moving Forward

CISA will provide a standardized reporting template and will continue to monitor for additional indicators of compromise. Agencies lacking the expertise to meet the directive’s requirements can request specialized assistance from CISA.

A comprehensive report on the status of implementation will be presented by February 1, 2026, to key officials, including the Secretary of Homeland Security, the National Cyber Director, and the Office of Management and Budget.

Entities outside the Federal Executive Branch are also encouraged to follow the outlined forensic procedures, particularly the core dump and threat-hunting instructions, to assess their own exposure to vulnerabilities such as CVE-2025-20333 and CVE-2025-20362.