Federal cybersecurity authorities have issued a top-level directive mandating U.S. civilian agencies to immediately detect, isolate, and patch certain Cisco firewall systems following active exploitation of zero-day vulnerabilities. The order, stemming from Emergency Directive 25-03 by CISA, targets two newly identified flaws (CVE-2025-20333 and CVE-2025-20362) in Cisco ASA and FTD software that attackers have successfully chained to gain remote code execution and persistence—even surviving reboots and firmware upgrades. The campaign, linked to the ArcaneDoor operation, reportedly leverages deep device tampering, disabled logging, and bootloader manipulation to persist in critical government networks. Many agencies are now racing to inventory affected systems and apply patches by tight deadlines or risk forced disconnection of unsupported devices.
Sources: Bleeping Computer, CyberScoop
Key Takeaways
– The zero-day flaws targeted (CVE-2025-20333 and CVE-2025-20362) allow attackers to bypass authentication, execute code, and remain persistent even across system updates.
– The CISA emergency directive demands federal agencies respond within a day—inventory devices, disconnect compromised units, apply patches, and retire end-of-support gear.
– The threat actor is tied to a sophisticated espionage campaign known as ArcaneDoor, which has previously compromised Cisco infrastructure globally using custom malware and boot-level exploits.
In-Depth
On September 25, 2025, CISA (the Cybersecurity and Infrastructure Security Agency) issued Emergency Directive 25-03, compelling federal civilian agencies to confront an immediate national cybersecurity emergency. The directive arises from active, sophisticated exploitation of newly discovered zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower / Threat Defense (FTD) firewalls. The duo of flaws—tracked as CVE-2025-20333 and CVE-2025-20362—are already being chained in live attacks to give attackers unauthenticated remote code execution and unauthorized access to restricted web endpoints. In real terms, hackers can breach firewall devices, implant malware, manipulate boot code to survive reboots, disable logging, crash devices to evade diagnostics, and maintain stealthy footholds in government networks.
CISA’s directive demands that agencies immediately catalog all Cisco ASA and Firepower devices in their environments, take forensic images of suspected systems, cut off any devices showing signs of compromise, apply the vendor’s patches where possible, and permanently decommission devices that are out of support—all by mid-day September 26 for patching, and by September 30 for device retirement of unsupported units. The urgency is extreme because these vulnerabilities are now listed in CISA’s Known Exploited Vulnerabilities catalog, meaning they are confirmed to be used in active attacks. As part of the mitigation, agencies also must submit reports on their findings, suspicious activity, and future action plans.
The cosmic significance here lies in attribution and persistence. Cisco and CISA link the campaign to a well-known espionage operation dubbed ArcaneDoor, first observed in 2023 and tied to custom malware (Line Dancer, Line Runner) and boot-level attacks. That suggests that the attackers are not amateur threat actors but state-level adversaries with deep knowledge of Cisco’s internal firmware, ROM monitors, and exploit chaining. Earlier ArcaneDoor strikes compromised global government entities by exploiting other zero-days in ASA/FTD systems; now, attackers have weaponized fresh vulnerabilities and turned them into a “living” threat that can survive firmware upgrades.
Adding to the concern: authorities in the UK’s NCSC warn that ASA 5500-X devices lacking secure boot protections are especially vulnerable. The complexity of these attacks underscores why edge firewalls and perimeter gear—long considered hardened enforcers of network security—are now prime targets. The flaws are no longer speculative risks but active, exploited gateways into critical infrastructure.
For federal agencies, private sector partners, and network defenders, the lesson is stark: assume perimeter devices may already be compromised, act quickly to rebuild trust in network boundaries, and prioritize lifecycle management so legacy gear doesn’t become an entry point. Time is short, complexity is high, and adversaries appear to be one step ahead.