The vulnerabilities allow unauthenticated remote code execution and privilege escalation, enabling advanced threat actors to modify read-only memory (ROM) for persistence through reboot and system upgrades.
CISA links this campaign to the ArcaneDoor activity first identified in early 2024, during which adversaries demonstrated the capability to manipulate ASA ROM as early as 2024.
By exploiting zero-days in ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300 devices, attackers achieve unauthenticated remote code execution.
Although Secure Boot on Firepower Threat Defense (FTD) appliances detects ROM manipulation, ASAs lack this protection, making them prime targets.
Cisco has released security updates addressing both vulnerabilities:
Failure to remediate poses an unacceptable risk to federal information systems and critical infrastructure.
| CVE Identifier | Title | CVSS 3.1 Score | Severity |
| CVE-2025-20333 | Cisco ASA Remote Code Execution Zero-Day | 9.8 | Critical |
| CVE-2025-20362 | Cisco ASA Privilege Escalation Zero-Day | 7.2 | High |
For all public-facing ASA hardware, perform CISA’s Core Dump and Hunt Instructions Parts 1–3 and submit core dumps via the Malware Next Gen portal by September 26, 2025, 11:59 PM EDT.
If “Compromise Detected,” disconnect (but do not power off), report to CISA, and coordinate incident response. If “No Compromise Detected,” proceed to software updates or device decommissioning.
Permanently disconnect ASA hardware with end-of-support on or before September 30, 2025. Agencies unable to comply must apply Cisco-provided software updates by September 26 and plan for decommissioning.
Download and apply the latest Cisco updates for ASA hardware models supported through August 31, 2026, and for all ASAv and FTD appliances by September 26, 2025.
By October 2, 2025, 11:59 PM EDT, submit a complete inventory and action report to CISA using the provided template. These measures apply to all federal information systems, including those hosted by third-party providers (FedRAMP-authorized or otherwise).
Agencies remain responsible for maintaining inventories and ensuring compliance. CISA will report cross-agency status and outstanding issues to senior leadership by February 1, 2026.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild appeared first on Cyber Security News.
Warning: This review contains full spoilers for The Pitt Season 2, Episode 9!Considering that The…
If you were having issues shopping on Amazon or loading your playlists on Amazon Music…
After President Donald Trump launched a war on Iran over the weekend without congressional authorization,…
Are you a huge fan of LEGO sets and yet consistently sticker-shocked by their exorbitant…
U.S. House Speaker Mike Johnson, R-La., speaks to reporters at the U.S. Capitol on March…
A package of child safety bills is headed to the House floor following an hours-long…
This website uses cookies.