Failing to properly patch Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices against actively exploited vulnerabilities.
Under Emergency Directive 25-03, CISA has identified two severe CVEs posing unacceptable risks to federal information systems:
CVE-2025-20333, which enables remote code execution, and CVE-2025-20362, which allows privilege escalation.
Active exploitation of these vulnerabilities has been detected across federal civilian executive branch (FCEB) agencies.
The primary concern stems from a critical discovery during CISA’s analysis of agency compliance reports.
| CVE ID | Vulnerability Type | Impact |
|---|---|---|
| CVE-2025-20333 | Remote Code Execution | Allows unauthenticated attackers to execute arbitrary code |
| CVE-2025-20362 | Privilege Escalation | Allows authenticated attackers to escalate privileges |
Numerous devices marked as “patched” in official reporting templates were found running outdated software versions that remain vulnerable to active threats.
This difference indicates that agencies misunderstood patch requirements or deployed incomplete updates.
CISA emphasizes that agencies must update ALL ASA and Firepower devices to the minimum required software versions, not just public-facing equipment.
Vulnerable software trains include ASA versions 9.12 through 9.22 and Firepower versions 7.0 through 7.6, each requiring specific minimum patch levels.
For ASA devices, the minimum required versions are: 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, and 9.22.2.14. ASA versions 9.17 and 9.19 require migration to supported releases.
Firepower devices must run at least 7.0.8.1, 7.2.10.2, 7.4.2.4, or 7.6.2.1, depending on their current release train. Emergency Directive 25-03 mandates patch deployment within 48 hours of release.
Agencies operating public-facing ASA hardware must execute CISA’s Core Dump and Hunt procedures and submit findings via the Malware Next Gen portal before patching.
Non-compliant agencies must resubmit ED 25-03 compliance reports through CyberScope. CISA will directly contact identified non-compliant agencies to ensure corrective actions are completed immediately.
This enforcement action underscores the critical importance of comprehensive patching strategies across all device categories within federal networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Federal Agencies Not Fully Patching Actively Exploited Cisco ASA or Firepower Devices appeared first on Cyber Security News.
March 11, 2026 Building the first new interchange in 15 years close to the confluence…
PARIS, March 10, 2026 — Qevlar AI, a leader in AI for transforming security operations…
In Beirut, we start our days with the latest litany of places and people hit…
GreatPen.xyz – Squarespace customer – (United States) The .xyz community includes independent designers and creatives…
The National Film and Sound Archive (NFSA) of Australia has today announced it has acquired…
Today's links AI "journalists" prove that media bosses don't give a shit: In case there…
This website uses cookies.