A sharp warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to federal agencies: two critical vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower devices—CVE-2025-20333 (remote code execution) and CVE-2025-20362 (privilege escalation)—are being actively exploited by threat actors, yet many agencies that reported systems as “patched” are still running insecure versions. According to reports, the agency found devices that had been updated but not to a version that corrects the vulnerability, and continues to track thousands of internet-connected devices still at risk. CISA’s Emergency Directive 25-03 mandated the fixes and additional forensic procedures, stressing that federal agencies must update all ASA and Firepower devices—not just those exposed to the internet—and verify compliance immediately.
Sources: Bleeping Computer, HelpNet Security
Key Takeaways
– Federal agencies remain vulnerable despite patch-reports: CISA found devices labeled “patched” that still run software versions open to exploitation.
– Two major vulnerabilities in Cisco ASA/Firepower gear—one allowing remote code execution, the other privilege escalation—are being exploited in real‐world campaigns.
– CISA’s directive demands full coverage—including internal devices, not only public-facing firewalls—and mandates forensic action, version verification, and potential device decommissioning where patches cannot be applied.
In-Depth
The federal government has been put on high alert by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) after discovering that multiple civilian agencies remain exposed to two serious flaws in Cisco firewall hardware and software, even after receiving clear instructions to patch them. The vulnerabilities—tracked as CVE-2025-20333 (remote code execution) and CVE-2025-20362 (privilege escalation)—are especially dangerous when chained, because an attacker gaining access via CVE-20362 can then exploit CVE-20333 to achieve full control of the device. Security firm research links the campaign exploiting them to the long-running “ArcaneDoor” group.
CISA’s Emergency Directive 25-03, originally issued in late September, required agencies using Cisco ASA or Firepower devices to immediately update to fixed versions, conduct forensic activity, disconnect compromised gear, and report status. However, the update this week from CISA makes one thing very clear: the job is not done. Some agencies delivered status updates claiming “patched” devices, yet investigations reveal those devices may still run vulnerable software versions or may not have been subjected to full forensic verification. In effect, the sticker “patched” is not equal to “secure.”
Further compounding the risk: the vulnerabilities are not limited to the devices facing the public internet. Internal devices, VPN-backhaul endpoints, and other firewall equipment isolated from external traffic are still in scope. CISA emphasizes that all devices—public or internal—need attention. The practical challenge is significant: many federal systems run older hardware, or software versions that must be updated via special-release channels, and some still run firewalls at or beyond vendor support end-dates. One recent industry bulletin noted that more than 30,000 Cisco ASA/Firepower devices remain vulnerable online.
From a conservative security posture, the implications are stark. Agencies entrusted with some of the nation’s most sensitive data remain exposed to infiltration via perimeter devices—precisely the equipment meant to be a first line of defense. A breach of a firewall doesn’t just mean stolen data; it could mean attacker persistence, lateral movement, and undetected exfiltration for months. The fact that agencies may have ticked the “patch applied” box without verifying versions or conducting forensic checks undermines the credibility of patch-compliance reporting.
To illustrate: suppose a federal agency applied a software update, but it installed version 9.12.4.70 instead of the required 9.12.4.72 (the fixed release). Even though the patch was applied, the device remains vulnerable. Because of real-world exploits, CISA recommends agencies also execute “core dump and hunt” instructions to look for signs of compromise—such as modified ROMMON (bootloader) code or disabled logging—especially vital because attackers may persist through reboots and upgrades.
What should agencies (and indeed any organization using similar gear) do now? First, compile an inventory of all ASA and Firepower devices, including those not facing the public internet. Second, confirm the exact software version and patch level against Cisco’s advisories and CISA’s version-tables. Third, run the forensic procedures provided by CISA to detect signs of compromise; if detected, isolate or decommission as needed. Fourth, consider device replacement if hardware is end-of-life or cannot be upgraded to a safe version. Fifth, document everything both for internal compliance and for oversight purposes—especially given the federal government’s accountability protocols.
On the broader front, this situation underscores a recurring theme in government cybersecurity: issuing directives is only the first step; enforcing compliance and verifying outcomes is where the real work lies. From a policy and governance perspective, this incident reinforces the need for tighter vendor-support lifecycle management, continuity planning for critical security appliances, and stronger mechanisms to ensure patching isn’t just reported, but validated. For national security, the stakes are high: the adversaries targeting these flaws are real, sophisticated, and persistent.
In short, this is not a classic “apply patch and forget” moment—it’s a reminder that in cybersecurity, the “final mile” of verifying full remediation is where too many organizations falter. Federal agencies must now move from “patch applied” to “patch validated and device cleared.” The private sector should take note: if the federal government can struggle with this, chances are many smaller organizations are in even greater peril. Vigilance, verification, and remediated device hygiene are non-negotiable.