Particle.news
Download on the App Store
16 ARTICLES
·
2h ago

CISA Orders Emergency Fixes as Cisco Firewall Zero-Days Are Actively Exploited

Federal agencies face 24-hour deadlines to inventory devices, collect forensics, patch affected firewalls, then retire unsupported models due to ROMMON-level persistence.

Cisco
The logo of U.S. networks giant Cisco Systems is seen in front of their headquarters in Issy-les-Moulineaux, near Paris, France August 6, 2022. REUTES/Sarah Meyssonnier/File Photo
Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023.
Cisco zero-day

Overview

  • CISA issued Emergency Directive 25-03 and added CVE-2025-20333 and CVE-2025-20362 to its KEV catalog, citing unacceptable risk from ongoing exploitation of Cisco ASA and Firepower devices.
  • Cisco released patches for the ASA/FTD VPN web server flaws, warning that attackers can chain them to gain full control, and noted a third bug (CVE-2025-20363) is patched but not known to be exploited.
  • Agencies must identify all ASA and Firepower appliances, submit memory forensics, isolate any compromised devices, patch by September 26 at noon ET, and permanently disconnect end‑of‑support hardware by September 30.
  • Cisco linked the intrusions to the ArcaneDoor threat cluster (UAT4356/Storm‑1849) and documented evasion tactics including disabled logging, intercepted CLI commands, and deliberate device crashes.
  • Investigations found ROMMON modifications on legacy ASA 5500‑X models lacking Secure Boot or Trust Anchor, prompting guidance to update, rotate credentials and keys, validate ROM checks, and replace unsupported devices; separately, Cisco also patched an actively exploited IOS/IOS XE SNMP zero‑day (CVE‑2025‑20352) affecting systems with SNMP enabled.