Discussion – 

0

Discussion – 

0

CISA Announced ED 25-03 Critical Zero-Day Vulnerabilities and Active Exploitation of Cisco Devices

On September 25, 2025, Cybersecurity and Infrastructure Security Agency’s (CISA) Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, was issued to communicate the current state and guidance to public and private sector organizations for this highly active, pervasive and damaging attack.  

 

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade…  These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM. 

   

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems: 

CISA mandates that these vulnerabilities be addressed immediately through the actions outlined below: 

 

  1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.
  2. For Federal Agencies, including systems used or operated by other entities on behalf of an agency, these actions include following the steps outlined in the Directive to submit core dump(s) via their Malware portal by 11:50pm EDT on September 26, 2025, to identify potentially compromised devices and disconnect them from their networks. DO NOT POWER OFF the devices, to support further Incident Response (IR) and investigation of this malware. 
  3. For all organizations, run credentialed vulnerability scans of Cisco devices, to identify vulnerable devices, and download and install the latest Cisco updates IMMEDIATELY!  
  4. For Federal Agencies and entities in scope for this guidance, this includes providing a report to CISA (using their provided template), to report your complete inventory for devices within the scope of this Directive, including details of actions taken and the current results. 

 

For non-federal organizations, do not take this attack lightly. READ the guidance from the Directive to inform your own response and investigation, and actions to disconnect potentially compromised devices, retire “end of support” (e.g. EOL) devices, and mitigate against this attack. dd

Guidance for Partners and Customers of SAINT products 

Update your SAINT scanning solution to Data Version 100608005 or higher (path: Manage – System Status – “Restart and Update”), and run a Credentialed scan, using the “Full Vulnerability Scan” policy, on all Cisco devices referenced in the guidance, to identify potentially impacted devices and re-run this scan after the referenced patches have been applied, to verify all devices have been remediated. For devices that have reached “end of support” we also reaffirm CISA’s guidance to disconnect and retire these devices, to mitigate against this and future exposures and attacks. 

For reference: Cisco has released the following fixes for Cisco ASA and FTD. 

CVE  Affected Product  Affected Versions  Fixed Version 
CVE-2025-20333  Cisco ASA Software  9.16, 9.17, 9.18, 9.19, 9.20, 9.22  9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3 
CVE-2025-20333  Cisco FTD Software  7.0, 7.2, 7.4, 7.6  7.0.8.1, 7.2.9, 7.4.2.4, 7.6.1 
CVE-2025-20363  Cisco ASA Software  9.16, 9.18, 9.19, 9.20, 9.22, 9.23  9.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, 9.23.1.3 
CVE-2025-20363  Cisco FTD Software  7.0, 7.2, 7.4, 7.6, 7.7  7.0.8, 7.2.10, 7.4.2.3, 7.6.1, 7.7.10 
CVE-2025-20362  Cisco ASA Software  9.16, 9.18, 9.20, 9.22, 9.23  9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19 
CVE-2025-20362  Cisco FTD Software  7.0, 7.2, 7.4, 7.6, 7.7  7.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, 7.7.10.1 

 

Cisco ASA Software: 

  • Cisco customers on the 9.17 branch must migrate to a fixed release to address CVE-2025-20363 
  • Cisco customers on the 9.17 and 9.19 branches must migrate to a fixed release to address CVE-2025-20362. 

Cisco FTD Software: 

  • Cisco customers on the 7.1 and 7.3 branches must migrate to a fixed release to address all three vulnerabilities. 

__________________________ 

For more information on these and other vulnerabilities, and additional services available from Carson & SAINT, contact us at be.secure@carson-saint.com. 

 

Tags:

Randall Laudermilk, Vice President of Product Strategy & Strategic Partners

Randall Laudermilk joined the company in 2009 and is responsible for establishing strategic alliances and technical partnerships. Randy brings a unique combination of business, market, and technology acumen. He has a vast range of experience in the IT field, including 25 years of experience in both IT professional services and product management. Randy has an extensive background in business development and has been instrumental in developing several corporate and product strategies that facilitate increased customer value and revenue potential for our partners. He served in the U.S. Air Force and later held a position with the Joint Staff’s Special Operations Division at the Pentagon. Randy also completed professional study at the Performance Institute and earned an M.S. in Information Systems from Marymount University. He is a Certified Scrum Master (CSM) and Certified Scrum Product Owner (CSPO), and a member of the Scrum Alliance.

0 Comments

You May Also Like

Loading...
My cart
Your cart is empty.

Looks like you haven't made a choice yet.