(TLP:CLEAR) CISA Sends Emergency Directive to Mitigate Potential Compromise of Cisco Devices, Threat Actors Actively Target Cisco Vulnerabilities

Summary: Today, CISA sent an Emergency Directive (ED) titled “Identify and Mitigate Potential Compromise of Cisco Devices,” and highlighted an ongoing campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade.

CISA has assessed that the following CVE’s pose an unacceptable risk to federal information systems and mandates these vulnerabilities be addressed immediately through the actions outlined in their directive. WaterISAC urges utilities to also follow the directive’s guidance and address the following vulnerabilities:

• CVE-2025-30333 – allows for remote code execution
• CVE-2025-20362 – allows for privilege escalation

Additionally, yesterday Cisco patched CVE-2025-20352, a stack-based buffer overflow vulnerability affecting the Simple Network Management Protocol (SNMP) subsystem in IOS and IOS XE software. Cisco confirmed active exploitation of this vulnerability in the wild, threat actors with low-level privileges can cause denial-of-service (DoS) conditions, while those with high privileges may achieve remote code execution (RCE). The vulnerability also affects Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS version 17 and earlier.

Analyst Note: WaterISAC strongly recommends utilities address the Cisco vulnerabilities mentioned by following the actions described in CISA’s emergency directive. Cisco has also recently patched 13 other security vulnerabilities, including two that have proof-of-concept exploit code available. As threat actors are actively targeting vulnerable Cisco devices, WaterISAC encourages members to be extra mindful of the vulnerability management of their Cisco devices at this time. 

Original Source: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

Additional Reading:

• Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
• Cisco Event Response: September 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75296
• Cisco warns of IOS zero-day vulnerability exploited in attacks https://www.bleepingcomputer.com/news/security/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks/

Related WaterISAC PIRs: 6, 7, 10, 12