On September 25, 2025, Cybersecurity and Infrastructure Security Agency’s (CISA) Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, was issued to communicate the current state and guidance to public and private sector organizations for this highly active, pervasive and damaging attack.  

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade…  These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM. 

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems: 

• CVE-2025-20333 – allows for remote code execution 

• CVE-2025-20362 – allows for privilege escalation 

CISA mandates that these vulnerabilities be addressed immediately through the actions outlined below: 

1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.
2. For Federal Agencies, including systems used or operated by other entities on behalf of an agency, these actions include following the steps outlined in the Directive to submit core dump(s) via their Malware portal by 11:50pm EDT on September 26, 2025, to identify potentially compromised devices and disconnect them from their networks. DO NOT POWER OFF the devices, to support further Incident Response (IR) and investigation of this malware. 
3. For all organizations, run credentialed vulnerability scans of Cisco devices, to identify vulnerable devices, and download and install the latest Cisco updates IMMEDIATELY!  
4. For Federal Agencies and entities in scope for this guidance, this includes providing a report to CISA (using their provided template), to report your complete inventory for devices within the scope of this Directive, including details of actions taken and the current results. 

For non-federal organizations, do not take this attack lightly. READ the guidance from the Directive to inform your own response and investigation, and actions to disconnect potentially compromised devices, retire “end of support” (e.g. EOL) devices, and mitigate against this attack. dd

Guidance for Partners and Customers of SAINT products 

Update your SAINT scanning solution to Data Version 100608005 or higher (path: Manage – System Status – “Restart and Update”), and run a Credentialed scan, using the “Full Vulnerability Scan” policy, on all Cisco devices referenced in the guidance, to identify potentially impacted devices and re-run this scan after the referenced patches have been applied, to verify all devices have been remediated. For devices that have reached “end of support” we also reaffirm CISA’s guidance to disconnect and retire these devices, to mitigate against this and future exposures and attacks. 

For reference: Cisco has released the following fixes for Cisco ASA and FTD. 

Cisco ASA Software: 

• Cisco customers on the 9.17 branch must migrate to a fixed release to address CVE-2025-20363 

• Cisco customers on the 9.17 and 9.19 branches must migrate to a fixed release to address CVE-2025-20362. 

Cisco FTD Software: 

• Cisco customers on the 7.1 and 7.3 branches must migrate to a fixed release to address all three vulnerabilities. 

__________________________ 

For more information on these and other vulnerabilities, and additional services available from Carson & SAINT, contact us at be.secure@carson-saint.com.