CISA Orders Urgent Patching of Cisco Firewall Zero-Day Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive requiring federal agencies to immediately mitigate two critical zero-day vulnerabilities affecting Cisco Adaptive Security Appliances (ASA) and select Firepower platforms. 

The flaws are already being actively exploited in the wild and pose a severe risk to federal information systems as well as enterprises.

In its advisory, CISA stated that exploitation of these vulnerabilities allows attackers to achieve “unauthenticated remote code execution” and privilege escalation, enabling advanced threat actors to persist through system reboots and upgrades.

What are the vulnerabilities?

The two vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — represent a critical pairing that gives attackers both an entry point and the ability to maintain control over Cisco Adaptive Security Appliances (ASA) and certain Firepower devices.

CVE-2025-20333 (CVSS 9.8 – Critical)

This flaw allows for unauthenticated remote code execution (RCE). In practical terms, an attacker can send specially crafted requests to a vulnerable ASA device over the internet and execute malicious code without requiring a login. 

Because authentication is not required, the attack surface extends to any exposed ASA device. Once RCE is achieved, adversaries can implant malware, create backdoors, or disrupt firewall operations.

CVE-2025-20362 (CVSS 7.2 – High)

This vulnerability enables privilege escalation. An attacker who gains initial access — whether through CVE-2025-20333 or another exploit — can escalate privileges to root-level control. This gives them unrestricted ability to modify system files, disable security controls, and maintain long-term persistence.

When combined, these two flaws form a robust attack chain: adversaries can bypass authentication, gain full administrative privileges, and then alter the firewall’s read-only memory (ROM). By modifying ROM, attackers can survive reboots and even firmware upgrades, making the compromise extremely hard to remove without fully decommissioning or reflashing the hardware.

Scope of impact

• Federal agencies: CISA’s directive highlights government systems as primary targets due to their sensitive role in national security and critical infrastructure.
• Private organizations: Any enterprise using Cisco ASA or Firepower appliances is also at risk, especially if devices are exposed to the internet without proper segmentation or monitoring.

Link to ArcaneDoor campaign

Cisco and CISA assess that these exploits are connected to the ArcaneDoor campaign, first detected in 2024. 

During that campaign, advanced state-sponsored actors demonstrated an ability to manipulate Cisco ASA ROM at scale, suggesting a long-term strategy to establish covert, persistent access in high-value networks. These latest vulnerabilities show that those same tactics are being actively operationalized in the wild today.

How to mitigate risk

To defend against the Cisco ASA and Firepower zero-day threats, organizations should act quickly and follow these key mitigations.

• Patch immediately: Apply Cisco patches within 48 hours of release, if possible.
• Decommission legacy gear: Disconnect end-of-support ASA devices.
• Hunt for compromise: Run forensic checks for ROM tampering or anomalies.
• Limit exposure: Restrict management interfaces to trusted networks/VPN.
• Monitor & log: Track admin/root activity and enable IDS/IPS rules.
• Plan ahead: Maintain inventories, replace aging devices, and update IR playbooks.

Organizations outside the federal government should also immediately apply Cisco’s patches, monitor logs for anomalous activity, and conduct incident response tabletop exercises to prepare for persistence-focused adversaries.

The bigger picture

This campaign highlights the evolving threat landscape around network infrastructure zero-days. 

Attackers are not just exploiting software flaws but also developing persistence techniques at the firmware level. Such tactics mirror other supply chain and infrastructure-focused campaigns that have reshaped enterprise security priorities in recent years.

The fact that adversaries can modify ROM to survive reboots demonstrates a strategic shift toward long-term, covert access.

Cisco has been on high alert all year. Just two months ago, the company patched three critical vulnerabilities that affected its identity services.