CISA: Patch Cisco Firewall Zero-Days Immediately
News
SHARE
Facebook X Pinterest WhatsApp

CISA Orders Urgent Patching of Cisco Firewall Zero-Day Vulnerabilities

CISA warns of active Cisco ASA exploits. Patch now to block remote code execution and privilege escalation risks.

Written By
Ken Underhill
Ken Underhill
Sep 26, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive requiring federal agencies to immediately mitigate two critical zero-day vulnerabilities affecting Cisco Adaptive Security Appliances (ASA) and select Firepower platforms. 

The flaws are already being actively exploited in the wild and pose a severe risk to federal information systems as well as enterprises.

In its advisory, CISA stated that exploitation of these vulnerabilities allows attackers to achieve “unauthenticated remote code execution” and privilege escalation, enabling advanced threat actors to persist through system reboots and upgrades.

What are the vulnerabilities?

The two vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — represent a critical pairing that gives attackers both an entry point and the ability to maintain control over Cisco Adaptive Security Appliances (ASA) and certain Firepower devices.

CVE-2025-20333 (CVSS 9.8 – Critical)

This flaw allows for unauthenticated remote code execution (RCE). In practical terms, an attacker can send specially crafted requests to a vulnerable ASA device over the internet and execute malicious code without requiring a login. 

Because authentication is not required, the attack surface extends to any exposed ASA device. Once RCE is achieved, adversaries can implant malware, create backdoors, or disrupt firewall operations.

CVE-2025-20362 (CVSS 7.2 – High)

This vulnerability enables privilege escalation. An attacker who gains initial access — whether through CVE-2025-20333 or another exploit — can escalate privileges to root-level control. This gives them unrestricted ability to modify system files, disable security controls, and maintain long-term persistence.

When combined, these two flaws form a robust attack chain: adversaries can bypass authentication, gain full administrative privileges, and then alter the firewall’s read-only memory (ROM). By modifying ROM, attackers can survive reboots and even firmware upgrades, making the compromise extremely hard to remove without fully decommissioning or reflashing the hardware.

Advertisement

Scope of impact

  • Federal agencies: CISA’s directive highlights government systems as primary targets due to their sensitive role in national security and critical infrastructure.
  • Private organizations: Any enterprise using Cisco ASA or Firepower appliances is also at risk, especially if devices are exposed to the internet without proper segmentation or monitoring.

Cisco and CISA assess that these exploits are connected to the ArcaneDoor campaign, first detected in 2024. 

During that campaign, advanced state-sponsored actors demonstrated an ability to manipulate Cisco ASA ROM at scale, suggesting a long-term strategy to establish covert, persistent access in high-value networks. These latest vulnerabilities show that those same tactics are being actively operationalized in the wild today.

How to mitigate risk

To defend against the Cisco ASA and Firepower zero-day threats, organizations should act quickly and follow these key mitigations.

  • Patch immediately: Apply Cisco patches within 48 hours of release, if possible.
  • Decommission legacy gear: Disconnect end-of-support ASA devices.
  • Hunt for compromise: Run forensic checks for ROM tampering or anomalies.
  • Limit exposure: Restrict management interfaces to trusted networks/VPN.
  • Monitor & log: Track admin/root activity and enable IDS/IPS rules.
  • Plan ahead: Maintain inventories, replace aging devices, and update IR playbooks.

Organizations outside the federal government should also immediately apply Cisco’s patches, monitor logs for anomalous activity, and conduct incident response tabletop exercises to prepare for persistence-focused adversaries.

Advertisement

The bigger picture

This campaign highlights the evolving threat landscape around network infrastructure zero-days. 

Attackers are not just exploiting software flaws but also developing persistence techniques at the firmware level. Such tactics mirror other supply chain and infrastructure-focused campaigns that have reshaped enterprise security priorities in recent years.

The fact that adversaries can modify ROM to survive reboots demonstrates a strategic shift toward long-term, covert access.

Cisco has been on high alert all year. Just two months ago, the company patched three critical vulnerabilities that affected its identity services.
Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information