The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 in response to an advanced threat actor exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) through web services. The flaws, which survive reboots and system upgrades, pose a serious risk to affected networks. CISA ordered federal agencies to identify and mitigate vulnerable devices immediately and urged all organizations using ASA to take action. This marks only the second emergency directive issued under the administration of President Donald Trump.
CISA determined that CVE-2025-20333, which enables remote code execution, and CVE-2025-20362, which enables privilege escalation, pose an unacceptable risk to federal systems. Although ED 25-03 and the associated supplemental guidance are directed to federal agencies, CISA urges public and private sector organizations to review the Emergency Directive and take steps to mitigate these vulnerabilities.
The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.
CISA ordered agencies to take immediate action on these vulnerabilities as outlined in the directive. Agencies must inventory all Cisco ASA and Firepower devices, use CISA-provided tools to collect forensics and assess compromise, disconnect unsupported devices, and upgrade those that remain in service. These measures aim to reduce immediate risk, determine potential compromise, and support analysis of the ongoing threat campaign.
The Emergency Directive requires agencies to immediately identify all Cisco ASA platforms, including ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), ASA firmware on Firepower 2100/4100/9300, and all Cisco Firepower Threat Defense appliances. Agencies must then follow CISA’s Core Dump and Hunt Instructions and submit the resulting files through the Malware Next Gen portal by 11:59 p.m. EDT on Sept. 26, 2025. If compromise is detected, the affected device must be disconnected from the network, reported to CISA, and retained for incident response. Devices showing no compromise may proceed to the next steps.
Any ASA hardware model reaching the end of support on or before Sept. 30, 2025, must be permanently disconnected by that date, as legacy systems cannot meet vendor support requirements. Agencies unable to do so must apply the latest Cisco updates, report mission-critical needs preventing immediate removal, and provide decommissioning plans as directed. ASA hardware supported through Aug. 31, 2026, must have the latest updates applied by Sept. 26, 2025, with future updates installed within 48 hours of release. All ASAv and Firepower FTD devices must follow the same update timelines.
Finally, by Oct. 2, this year, agencies must submit to CISA a complete inventory of products in scope, including actions taken and the results.
CISA will provide agencies with a reporting template to document actions taken in response to this directive. The agency will continue working to identify affected systems and potential compromises, issue partner notifications, and release additional guidance as needed. CISA can also provide technical assistance to agencies lacking the internal resources to comply. A consolidated report will be delivered to senior federal leadership outlining cross-agency progress and any unresolved issues.