US Agencies Still Vulnerable to Critical Cisco Flaws

A significant cybersecurity alert has been issued for U.S. federal agencies concerning two critical vulnerabilities within Cisco’s Adaptive Security Appliances (ASA) and Firepower firewalls. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated immediate action to address actively exploited flaws identified as CVE-2025-20333 and CVE-2025-20362. Despite some agencies reporting their systems as patched, CISA discovered that many devices were updated to software versions that remain vulnerable, prompting a new emergency directive to close this security gap.

CISA’s analysis revealed that numerous devices marked as secure in agency reports were actually running software that fails to protect against ongoing threats. The agency confirmed it is tracking active exploitation of these vulnerabilities within Federal Civilian Executive Branch systems. For any ASA or Firepower devices not yet updated to the required versions, or those updated after September 26, 2025, CISA advises taking additional defensive measures to guard against both current and emerging attacks.

Cisco recently updated its advisories for these vulnerabilities, noting the emergence of a new attack variant that leverages them. CVE-2025-20333 enables remote code execution, while CVE-2025-20362 permits privilege escalation. Both were exploited as zero-day vulnerabilities earlier this year. In late September, CISA and partner cybersecurity organizations attributed these attacks to a state-sponsored threat actor also responsible for the ArcaneDoor campaign in 2023 and 2024.

That previous campaign similarly relied on zero-day flaws. The threat actor deployed custom malware to disable logging functions and prevent crash dump creation. They also altered the ROMMON program, which initializes before the ASA operating system loads, to ensure a custom backdoor remained in place persistently.

Despite repeated alerts from security organizations, a substantial number of vulnerable systems remain exposed. The Shadowserver Foundation reported in early October that approximately 48,000 internet-facing appliances, mostly located in the United States, had not been patched. While that figure has since decreased to just over 32,000, the risk remains high. CISA emphasizes that all ASA and Firepower devices, not only those accessible from the internet, must be updated to firmware versions that resolve both vulnerabilities. Legacy or unsupported equipment should be decommissioned and replaced with modern, secure alternatives.

CISA has committed to contacting agencies where vulnerable systems are identified to verify that the necessary corrective actions have been completed. The agency’s latest guidance includes a list of specific firmware versions required to mitigate these security flaws.

On the same day, CISA expanded its Known Exploited Vulnerabilities catalog by adding three new entries. Federal agencies have until December 3, 2025, to address these additional threats. The newly listed vulnerabilities include CVE-2025-12480, which affects the Gladinet Triofox secure file sharing and remote access platform; CVE-2025-62215, a Windows Kernel issue resolved in Microsoft’s recent Patch Tuesday update; and CVE-2025-9242, a critical pre-authentication remote code execution flaw in WatchGuard Firebox network security appliances. The WatchGuard vulnerability was patched in September, with active exploitation confirmed on October 21.

(Source: HelpNet Security)