Overview
- Cisco released emergency fixes for ASA/FTD flaws CVE-2025-20333 and CVE-2025-20362, which investigators say were used together to gain full control of targeted devices.
- CISA’s Emergency Directive 25-03 requires federal agencies to inventory all ASA and Firepower gear, collect memory forensics, patch within 24 hours, disconnect compromised units, and retire end‑of‑support models.
- Cisco reports attackers modified ROMMON for persistence on older ASA 5500‑X devices lacking Secure Boot and Trust Anchor protections, including 5512‑X, 5515‑X, 5525‑X, 5545‑X, 5555‑X, and 5585‑X.
- UK NCSC, ACSC, and Canada’s cyber center issued parallel alerts, published malware analyses for RayInitiator and LINE VIPER, and urged password, key, and certificate rotation plus replacement of legacy hardware.
- A separate IOS/IOS XE SNMP zero‑day (CVE-2025-20352) was patched after in‑the‑wild exploitation, potentially affecting up to two million devices with SNMP enabled, with temporary mitigation limited to restricting SNMP access.