Particle.news
Download on the App Store
15 ARTICLES
·
2h ago

CISA Issues Emergency Order as Cisco Firewall Zero-Days Are Actively Exploited

The emergency order follows Cisco's disclosure of ASA/FTD flaws tied to the ArcaneDoor espionage campaign.

Cisco
The logo of U.S. networks giant Cisco Systems is seen in front of their headquarters in Issy-les-Moulineaux, near Paris, France August 6, 2022. REUTES/Sarah Meyssonnier/File Photo
Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023.
Cisco zero-day

Overview

  • Emergency Directive 25-03 compels federal agencies to inventory ASA and Firepower devices, perform forensics, disconnect any compromised systems, and patch unaffected ones by 12 p.m. EDT on September 26, with end-of-support units to be removed by September 30.
  • Cisco identified two exploited VPN web server flaws—CVE-2025-20333 enabling root code execution with valid VPN credentials and CVE-2025-20362 allowing access to restricted URLs without authentication—that can be chained for full device takeover.
  • CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog and urged nonfederal organizations to mirror the same actions as Cisco credited ACSC, the Canadian Centre for Cyber Security, the UK NCSC, and CISA for support.
  • Forensic analysis describes advanced evasion and persistence, including disabled logging, intercepted CLI commands, deliberate crashes, and ROMMON modification on ASA 5500-X devices with VPN web services enabled.
  • Cisco separately patched an actively exploited SNMP stack overflow in IOS and IOS XE (CVE-2025-20352) that enables DoS or root-level RCE on devices with SNMP enabled, with no full workaround beyond upgrading and temporary SNMP restrictions, and researchers estimate up to roughly 2 million devices could be susceptible.