CISA: ‘Emergency’ Response Needed Amid Cisco Firewall Attacks

A pair of zero-day vulnerabilities affecting Cisco Adaptive Security Appliance devices have been exploited in attacks, prompting CISA to issue an ‘emergency directive’ Thursday.

Cyberattacks that have exploited two zero-day Cisco firewall vulnerabilities prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an “emergency directive” Thursday.

Threat actors have exploited the flaws that affect certain Cisco Adaptive Security Appliance devices, the tech giant disclosed in an advisory Thursday.

The vulnerabilities consist of a critical-severity flaw (tracked as CVE-2025-20333) and a medium-severity vulnerability (tracked as CVE-2025-20362) that, “when chained together, could allow an unauthenticated, remote attacker to gain full control of an affected device,” Cisco said in its advisory.

“The evidence collected strongly indicates that CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign,” the company said.

The vulnerabilities have been addressed in software updates that are now available, Cisco said.

In a statement provided to CRN, Cisco said that “during an investigation with several government incident response agencies into malicious activity, we discovered three new vulnerabilities impacting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services enabled.”

“We attribute these attacks to the same state-sponsored threat actor behind the Arcane Door campaign reported in early 2024,” the company said.

The company “strongly” recommends upgrading impacted devices to the available fixed software, Cisco said in the statement.

In the CISA advisory Thursday, the agency said that its emergency directive “requires federal agencies to identify, analyze, and mitigate potential compromises immediately,” including both Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices.

Federal agencies must “identify all instances of Cisco ASA and Cisco Firepower devices in operation” and then “collect and transmit memory files to CISA for forensic analysis” by midnight Friday.

While the order only applies to federal agencies, CISA “urges all public and private sector organizations to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities,” the agency said.

The newly disclosed attacks and emergency CISA directive come a day after Cisco reported that a zero-day vulnerability impacting its IOS and IOS XE platforms had seen exploitation in cyberattacks.