CISA warned U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices.
Tracked as CVE-2025-20362 and CVE-2025-20333, these security flaws allow remote threat actors to access restricted URL endpoints without authentication and gain code execution on vulnerable Cisco firewall devices, respectively. If chained, they can enable unauthenticated attackers to gain complete control of unpatched devices remotely.
When it patched the two flaws in September, Cisco cautioned customers that they had been exploited as zero-days in attacks targeting 5500-X Series devices with VPN web services enabled. The company also linked these attacks to the ArcaneDoor campaign, which has exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks since November 2023.
The same day, CISA issued Emergency Directive 25-03, ordering U.S. federal agencies to secure their Cisco firewall devices within 24 hours against active exploitation of CVE-2025-20362 and CVE-2025-20333.
Internet monitoring platform Shadowserver currently tracks over 30,000 Cisco devices vulnerable to these attacks, down from more than 45,000 when it first began tracking the two vulnerabilities in early October.
Vulnerable Cisco devices exposed online (Shadowserver)
Some federal agencies failed to fully patch flaws
However, as the cybersecurity agency warned today, some government agencies have failed to correctly patch vulnerable devices, leaving them exposed to attacks amid ongoing attacks targeting unpatched Cisco firewalls on networks belonging to Federal Civilian Executive Branch (FCEB) agencies.
"CISA is aware of multiple organizations that believed they had applied the necessary updates but had not in fact updated to the minimum software version. CISA recommends all organizations verify the correct updates are applied," CISA said.
"In CISA's analysis of agency-reported data, CISA has identified devices marked as 'patched' in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. CISA is tracking active exploitation of these vulnerable versions in FCEB agencies," it added.
... continue reading