Federal Agencies Face Ongoing Risk from Unpatched Cisco ASA and Firepower Vulnerabilities
CISA has issued updated implementation guidance for Emergency Directive 25-03, highlighting that federal agencies are not fully patching critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. Despite previous directives, CISA identified that some agencies reported devices as patched when, in fact, they were still running vulnerable software versions. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, continue to be actively exploited by advanced threat actors, prompting CISA to urge immediate corrective action and recommend the use of tools like RayDetect to check for evidence of compromise.
The ongoing exploitation campaign has targeted federal civilian agencies since September, with CISA warning that incomplete patching leaves organizations exposed to significant risk. Agencies are directed to verify software versions, apply the minimum required updates, and follow additional mitigation steps if updates were applied after September 26, 2025. CISA has not confirmed whether any agencies have been breached but emphasizes the need for strict compliance to prevent further compromise. All organizations using Cisco ASA and Firepower devices are strongly encouraged to review and implement the latest guidance to mitigate ongoing threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Tens of thousands of Cisco devices remain vulnerable despite guidance
By mid-November 2025, Shadowserver data cited in reporting showed more than 30,000 Cisco devices still vulnerable, down from about 45,000 in early October. The continued exposure indicated that patching and verification efforts remained incomplete across many organizations.
CISA adds additional actively exploited flaws to KEV catalog
Alongside the Cisco guidance, CISA added more vulnerabilities to its Known Exploited Vulnerabilities catalog, including flaws affecting WatchGuard Firebox, Gladinet Triofox, and the Windows kernel. Federal agencies were given a remediation deadline of December 3, 2025 for these newly listed issues.
CISA warns agencies some devices marked patched remain vulnerable
CISA disclosed that some federal agencies had incorrectly considered Cisco devices remediated even though they were still exposed, due to validation failures and minimum-version requirements. The agency instructed organizations to apply the specific required firmware versions and decommission unsupported hardware.
CISA updates emergency directive guidance for Cisco flaws
On November 12, 2025, CISA updated implementation guidance for its emergency directive covering CVE-2025-20362 and CVE-2025-20333. The agency said some federal agencies had not applied the correct updates and clarified that all ASA and Firepower devices, including non-internet-facing ones, must be remediated within 24 hours under Emergency Directive 25-03.
Cisco observes a new attack variant against unpatched devices
Cisco reported a newer attack variant on November 5, 2025 affecting unpatched ASA and Firepower systems. In addition to exploitation, the variant could trigger denial-of-service behavior causing device restarts.
More than 45,000 Cisco devices observed exposed in early October
Shadowserver observed roughly 45,000 vulnerable Cisco devices in early October 2025, showing the broad internet exposure of unremediated systems. Later reporting said this number declined but remained in the tens of thousands.
Cisco releases fixes for ASA and Firepower zero-day flaws
Cisco issued patches in September 2025 for CVE-2025-20362 and CVE-2025-20333 affecting ASA and Firepower devices. The flaws can be chained to bypass authentication, access restricted endpoints, and achieve remote code execution with full device compromise.
ArcaneDoor campaign begins targeting government networks
The threat activity later tied to exploitation of Cisco ASA and Firepower vulnerabilities began targeting government networks in November 2023. Multiple reports describe the campaign as ArcaneDoor and attribute it to a state-sponsored, China-linked actor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Active Attacks on Cisco ASA and Firepower Flaws
hackread.com
Open sourceUrgent Advisory: Active Exploitation of Cisco ASA and Firepower, CVE-2025-20333 & CVE-2025-20362
centripetal.ai
Open sourceCisco ASA firewalls still under attack; CISA issues guidance for patch
scworld.com
Open sourceFeds Fumble Cisco Patches as China-Linked Hackers Strike
govinfosecurity.com
Open sourceFeds Fumble Cisco Patches as China-Linked Hackers Strike
bankinfosecurity.com
Open sourceCISA warns feds to fully patch actively exploited Cisco flaws
bleepingcomputer.com
Open source“Patched” but still exposed: US federal agencies must remediate Cisco flaws (again)
helpnetsecurity.com
Open sourceUpdate: Implementation Guidance for Emergency Directive on Cisco ASA and Firepower Device Vulnerabilities
cisa.gov
Open sourceFederal agencies not fully patching vulnerable Cisco devices amid ‘active exploitation,’ CISA warns
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of Cisco ASA Firewall Vulnerabilities Leading to Federal Agency Breach and Senate Scrutiny
US Senator Bill Cassidy has demanded answers from Cisco regarding critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, specifically CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by threat actors. The senator's letter to Cisco CEO Chuck Robbins follows reports that at least one federal agency was breached as a direct result of these flaws, though Cisco has not publicly confirmed the breach. The vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring all federal civilian agencies to identify affected devices, review logs for signs of compromise, and apply Cisco's patches within 24 hours. Devices that had reached end of support were ordered to be removed from service entirely. Cisco acknowledged that exploitation of these vulnerabilities had been ongoing since at least May, when government incident responders involved Cisco in investigations of compromised ASA 5500-X firewalls. Attackers were observed deploying implants, executing commands, and exfiltrating data from affected systems well before the vulnerabilities were publicly disclosed. The exploitation campaign, known as ArcaneDoor, was attributed by Cisco to a Chinese-linked threat group identified as UAT4356, which has targeted government systems globally since November 2023. Senator Cassidy's letter raises concerns about Cisco's transparency regarding the impact of these vulnerabilities on both government and private sector customers. He questioned whether Cisco has identified specific threats to its customers, how it communicates security issues, and whether CISA's guidance to federal agencies is also being provided to private organizations. The senator emphasized the critical role Cisco plays in national infrastructure, noting that vulnerabilities in its products could jeopardize access to essential services for millions of Americans. Cisco has not responded to media requests for comment on the senator's inquiries or the reported breach. The emergency directive from CISA underscores the severity of the risk, highlighting the widespread use of ASA appliances in both government and large enterprise environments. The incident has drawn attention to the need for rapid patching and clear communication from vendors when critical vulnerabilities are discovered. Security agencies in both the US and UK have issued urgent advisories, warning of active exploitation and the necessity for immediate remediation. The ongoing investigation seeks to determine the full scope of the compromise and whether additional agencies or organizations have been affected. The situation has reignited debate over the security of widely deployed network infrastructure and the responsibilities of vendors in managing and disclosing vulnerabilities. The case also illustrates the persistent threat posed by sophisticated state-linked actors targeting critical government systems. As the response continues, both public and private sector organizations are urged to review their exposure and ensure all relevant patches are applied without delay.
Mar 21, 2026
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026
CISA warns Cisco firewall backdoor survives patching after federal agency breach
CISA disclosed that an unnamed U.S. federal civilian agency was breached through Cisco firewall vulnerabilities `CVE-2025-20333` and `CVE-2025-20362`, and investigators later found the **FIRESTARTER** backdoor and **Line Viper** malware on the affected devices. Authorities said the attackers, linked by Cisco Talos and allied agencies to **UAT-4356** and the earlier **ArcaneDoor** activity, maintained persistence on Cisco ASA and Firepower/FTD systems even after patches were applied, regained access months later without re-exploiting the original flaws, and used crafted VPN authentication-related requests to execute code and enable unauthorized VPN sessions that bypassed authentication controls. CISA, the U.K. National Cyber Security Centre, and other partners warned that patching alone may not evict the threat because FIRESTARTER can survive standard reboots and, in some cases, firmware updates if the device was compromised before remediation. The updated federal directive requires agencies to audit Cisco firewall infrastructure and submit memory snapshots, while Cisco and CISA urged stronger recovery steps such as hard reboots and reimaging where compromise is suspected. The disclosure came alongside a broader allied advisory that China-linked groups including **Volt Typhoon** and **Flax Typhoon** are increasingly using large covert proxy networks built from compromised SOHO routers and IoT devices—such as the **Raptor Train** and **KV Botnet** infrastructure—to hide intrusions, support espionage, and blunt traditional IP-based blocking defenses.
Apr 24, 2026