The vulnerabilities allow unauthenticated remote code execution and privilege escalation, enabling advanced threat actors to modify read-only memory (ROM) for persistence through reboot and system upgrades.
CISA links this campaign to the ArcaneDoor activity first identified in early 2024, during which adversaries demonstrated the capability to manipulate ASA ROM as early as 2024.
By exploiting zero-days in ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300 devices, attackers achieve unauthenticated remote code execution.
Although Secure Boot on Firepower Threat Defense (FTD) appliances detects ROM manipulation, ASAs lack this protection, making them prime targets.
Cisco has released security updates addressing both vulnerabilities:
Failure to remediate poses an unacceptable risk to federal information systems and critical infrastructure.
| CVE Identifier | Title | CVSS 3.1 Score | Severity |
| CVE-2025-20333 | Cisco ASA Remote Code Execution Zero-Day | 9.8 | Critical |
| CVE-2025-20362 | Cisco ASA Privilege Escalation Zero-Day | 7.2 | High |
For all public-facing ASA hardware, perform CISA’s Core Dump and Hunt Instructions Parts 1–3 and submit core dumps via the Malware Next Gen portal by September 26, 2025, 11:59 PM EDT.
If “Compromise Detected,” disconnect (but do not power off), report to CISA, and coordinate incident response. If “No Compromise Detected,” proceed to software updates or device decommissioning.
Permanently disconnect ASA hardware with end-of-support on or before September 30, 2025. Agencies unable to comply must apply Cisco-provided software updates by September 26 and plan for decommissioning.
Download and apply the latest Cisco updates for ASA hardware models supported through August 31, 2026, and for all ASAv and FTD appliances by September 26, 2025.
By October 2, 2025, 11:59 PM EDT, submit a complete inventory and action report to CISA using the provided template. These measures apply to all federal information systems, including those hosted by third-party providers (FedRAMP-authorized or otherwise).
Agencies remain responsible for maintaining inventories and ensuring compliance. CISA will report cross-agency status and outstanding issues to senior leadership by February 1, 2026.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild appeared first on Cyber Security News.
A critical scope overreach vulnerability was recently identified in the Microsoft Entra Agent Identity Platform.…
A critical scope overreach vulnerability was recently identified in the Microsoft Entra Agent Identity Platform.…
Today's links A free, open visual identity for enshittification: No mere poop emoji! Hey look…
Will design, manufacture and sell refrigeration and laundry By Alan Wolf, YSN Swedish appliance giant…
A year after most robots failed to finish the Beijing race, nearly half the field…
Artificial intelligence is changing the publishing industry at a pace few media sectors can ignore.…
This website uses cookies.