CISA Issues Emergency Directive: Zero-Day Attacks on Cisco Firewalls Pose Global Threat
The world’s leading cybersecurity agencies have issued urgent warnings of a critical threat to global network infrastructure: vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower systems are under heavy, coordinated attack. The alarm was triggered by an emergency order from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released Emergency Directive 25-03, requiring all federal civilian agencies to immediately audit and secure their devices in an effort to halt a sweeping campaign by malicious actors.
The incident involves the exploitation of several previously unknown flaws in Cisco systems that enable remote execution of arbitrary code without authentication, and even the alteration of ROM modules to maintain persistence after reboots and updates. Both ASA and Firepower Threat Defense (FTD) appliances are affected.
Cisco has linked these attacks to the ArcaneDoor campaign, first observed in 2024. While some modern Firepower devices equipped with Secure Boot can detect tampering, a substantial number of ASA appliances remain entirely vulnerable.
The crisis has reverberated far beyond the United States. France’s national cybersecurity authority, CERT-FR, issued bulletin CERTFR-2025-ALE-013, confirming that vulnerabilities CVE-2025-20333 and CVE-2025-20362 are being actively exploited in various ASA and FTD versions. The Australian Cyber Security Centre (ACSC) has advised owners of ASA 5500-X devices to disable IKEv2 and SSL VPN services until patches are available. Meanwhile, Canada’s Cyber Centre has warned of a globally circulating, highly sophisticated malware strain that poses an acute risk to end-of-life devices no longer supported by Cisco.
Directive 25-03 lays out strict requirements for U.S. agencies. By the end of September, organizations must submit memory dumps of all internet-exposed ASA devices to CISA, disconnect and quarantine any compromised equipment, update all software, and begin decommissioning hardware with support ending on September 30, 2025.
For models supported until August 2026, all updates must be applied within 48 hours of release. By October 2, 2025, every agency must deliver a full report on the status of their infrastructure and the remediation steps taken.
These directives extend not only to federal hardware but also to infrastructure hosted by third-party and cloud providers, including FedRAMP-certified vendors. Agencies remain accountable for compliance across all environments. For those lacking sufficient technical expertise, CISA has offered the assistance of specialized teams.
A consolidated compliance report is scheduled for delivery by February 1, 2026, to the U.S. Department of Homeland Security, the National Cyber Director, the Office of Management and Budget (OMB), and the Federal Chief Information Security Officer. Private sector organizations and international companies are also strongly urged to adopt the same measures—dump collection, compromise analysis, and immediate patching—to detect potential exploitation.
Ultimately, the entire Cisco ASA ecosystem is at risk, including legacy devices that no longer receive updates. International bulletins underscore the severity of the situation: this is a large-scale, coordinated global attack with the potential to cripple critical systems unless urgent defensive measures are taken.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
