(TLP:CLEAR) CISA Releases Implementation Guidance for Emergency Directive 25-03 on CISCO ASA and Firepower Devices

Summary: Yesterday, CISA published formal Implementation Guidance to assist federal agencies in addressing critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices, which were addressed in an Emergency Directive issued in late September. Importantly, threat actors continue to target these devices, and an organization’s mitigation actions may be incomplete if it upgraded to a software version that is still vulnerable and if it didn’t address both CVEs.

CISA’s Emergency Directive 25-03, which was released on September 25, 2025, discussed widespread exploitation of two zero-day vulnerabilities – CVE-2025-20333 and CVE-2025-20362 – to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. Based on CISA’s just-released Implementation Guidance, while federal agencies updated their software in response to the vulnerabilities some did so to a version still vulnerable to the threat activity. The Implementation Guidance clarifies that the Emergency Directive requires federal agencies to update all ASA and Firepower devices, not just public-facing devices, to the latest patch immediately to avoid exploitation. It also emphasizes that federal agencies need to be running minimum required software versions that mitigate both CVEs.

Analyst Note: The vulnerabilities pose significant risk to any organization that uses the affected devices and that hasn’t already completed mitigation actions, including non-federal agencies. Although CISA’s Executive Directive and accompanying Implementation Guidance are specifically intended for federal agencies, WaterISAC urges utilities to also follow them to address critical vulnerabilities. WaterISAC reported on CISA’s issuance of the Cisco related Emergency Directive at the end of September.

Several aspects of these vulnerabilities deserve attention, including the ability of threat actors to maintain persistence through reboots and system upgrades (through specially-designed malware), chaining vulnerabilities to allow an attacker to take over a device, and the alleged involvement of a state-sponsored threat actor in this activity (although it is not been divulged or confirmed which state the threat actor is associated with). In the past, Chinese-affiliated threat actors have targeted Cisco devices to gain access to critical infrastructure entities.

These aspects highlight the persistent and advanced nature of many of the threats facing critical infrastructure organizations today, necessitating vigilance to suspicious or malicious activity within networks and quick responses when such activity is identified or threatened.

Original Source: https://www.cisa.gov/news-events/alerts/2025/11/12/update-implementation-guidance-emergency-directive-cisco-asa-and-firepower-device-vulnerabilities  

Additional Reading:

• CVE-2025-20333, CVE-2025-20362: Frequently Asked Questions About Zero-Day Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) Vulnerabilities

Related WaterISAC PIRs: 6, 7, 10, 12