CISA has ordered U.S. federal agencies to fully remediate two actively exploited vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower firewall software, citing ongoing threat activity and reporting inconsistencies. The vulnerabilities are tracked as CVE-2025-20333 and CVE-2025-20362. CISA said it found devices reported as patched that had been updated to software versions still vulnerable and referenced Emergency Directive 25-03.
CVE-2025-20333 allows remote code execution and CVE-2025-20362 enables privilege escalation; both were observed exploited as zero‑day flaws earlier this year. Cisco updated its advisories last week to say it was aware of a new attack variant leveraging the bugs.
In late September, CISA and other cybersecurity agencies warned of the attacks and attributed them to a state‑sponsored actor previously tied to the ArcaneDoor campaign in 2023 and 2024. Those attacks used zero‑day flaws and custom malware that disabled logging and suppressed crash dumps, and the actor modified the ROMMON program that runs before the ASA operating system to maintain a custom backdoor.
CISA said all ASA and Firepower devices, not only internet‑facing appliances, must be updated to firmware versions that remediate both flaws, and that legacy or unsupported devices should be decommissioned and replaced. Agencies identified with the issue will be followed up with, and CISA published the required firmware versions in its new guidance.
The Shadowserver Foundation reported in early October that about 48,000 internet‑facing appliances remained unpatched despite warnings, a figure it later said had fallen to just over 32,000; Shadowserver noted most were in the United States. CISA said it is tracking active exploitation in federal civilian agencies and recommended additional mitigation for devices not updated or updated after September 26, 2025.
On the same day CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog and directed U.S. Federal Civilian Executive Branch agencies to address them by December 3, 2025. The items included CVE-2025-12480 affecting the Gladinet Triofox platform, CVE-2025-62215 in the Windows kernel, and CVE-2025-9242, a critical pre‑authentication remote code execution flaw in WatchGuard Firebox appliances that was patched in September and confirmed to be under active exploitation on October 21.