CISA issues emergency directive over Cisco zero-day attacks targeting Federal networks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent Emergency Directive (ED 25-03), mandating all federal civilian agencies to immediately identify and mitigate an active, widespread exploitation of zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) firewall devices. CISA warns that the sophisticated campaign poses an "unacceptable risk" to federal networks.

Critical vulnerabilities under active exploitation

The directive focuses on two primary zero-day flaws, now added to CISA's Known Exploited Vulnerabilities Catalog:

• CVE-2025-20333 (Critical): A remote code execution vulnerability.

• CVE-2025-20362: An unauthorized access vulnerability.

Cisco and CISA have assessed that an advanced threat actor is chaining these two bugs together to bypass authentication and gain full, unauthenticated control of the affected devices. This activity is believed to be a continuation of the highly sophisticated "ArcaneDoor" campaign first identified by Cisco in early 2024.

The threat of persistent malware

The techniques employed by the hackers are particularly alarming. The threat actor has demonstrated an ability to manipulate the device's read-only memory (ROMMON), allowing their malware to persist through system reboots and software upgrades. Gaining a foothold on these perimeter-network devices gives the attacker the ability to monitor, redirect, or modify network traffic, effectively bridging the internal network to the public web.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim's network,” said CISA Acting Director Madhu Gottumukkala.

CISA has imposed a stringent timeline for all Federal Civilian Executive Branch agencies to address the threat, with the final compliance report due by 11:59 p.m., October 2, 2025.

Agencies are required to check all public-facing Cisco ASA devices for signs of compromise and immediately disconnect any device where a breach is detected. Devices reaching their end-of-support status must be permanently removed from the network.

A risk for every organisation

Although the directive is aimed at federal agencies, CISA strongly urges all public and private sector organizations using Cisco ASA and Firepower devices to review the emergency instructions and take immediate steps to mitigate these vulnerabilities. International partners from the UK, Canada, and Australia are also urging their respective organizations to apply the security patches released by Cisco.