Authority & Scope

Under federal law (44 U.S.C. § 3553(h)), the Secretary of Homeland Security has the authority to issue emergency directives when a credible cybersecurity threat poses a significant risk to government systems. This authority is delegated to the Cybersecurity and Infrastructure Security Agency (CISA). All federal civilian agencies are required to follow such directives, with the exception of designated “national security systems” and networks run by the Department of Defense or the Intelligence Community.

Threat Overview

CISA has identified an ongoing campaign by a sophisticated adversary targeting Cisco Adaptive Security Appliances (ASA). Attackers are exploiting previously unknown flaws to execute malicious code remotely and tamper with device firmware to maintain persistence, even after reboots or upgrades.

Cisco has linked this activity to the ArcaneDoor campaign first exposed in 2024, noting that adversaries have successfully manipulated ASA memory since at least that year. The same weaknesses also affect certain Cisco Firepowermodels, although Firepower’s Secure Boot process can flag unauthorized firmware modifications.

CISA has confirmed that two critical flaws require immediate action:

  • CVE-2025-20333 – enables remote code execution
  • CVE-2025-20362 – allows privilege escalation

Required Actions for Federal Agencies

Agencies must take the following steps without delay:

  1. Inventory Devices
    Identify all Cisco ASA units (hardware, service modules, virtual appliances, and firmware running on Firepower 2100/4100/9300 series) and all Cisco Firepower Threat Defense (FTD) appliances.
  2. Forensic Collection & Analysis
    • Follow CISA’s “Core Dump and Hunt” instructions and submit results to the Malware Next Gen portal by September 26, 2025 (11:59 PM EDT).
    • If compromise is confirmed: disconnect the device from the network (without powering it down), notify CISA, and coordinate on remediation.
    • If no compromise is detected: continue with patching and lifecycle actions as below.
  3. Patch or Decommission
    • Devices past end-of-support (as of Sept. 30, 2025) must be permanently removed from service. Agencies unable to meet this deadline must apply the latest updates and report their mitigation plan to CISA.
    • Devices supported through Aug. 31, 2026 must receive the latest Cisco updates by Sept. 26, 2025, with all future updates applied within 48 hours of release.
    • All ASAv and Firepower FTD appliances must follow the same update schedule.
  4. Reporting & Compliance
    Agencies must submit a full inventory report of affected products and remediation actions by Oct. 2, 2025 (11:59 PM EDT). This applies even to systems hosted in third-party environments (e.g., FedRAMP cloud providers). Agencies are responsible for tracking compliance with vendors.

CISA’s Role

  • Provide standardized reporting templates.
  • Analyze submissions and notify affected entities.
  • Offer technical assistance to agencies lacking in-house expertise.
  • Deliver a comprehensive cross-agency status report to senior federal leadership by Feb. 1, 2026.

Resources

Non-federal organizations are encouraged, though not required, to follow the same procedures to assess and protect their Cisco devices.

This directive underscores the urgency of patching Cisco ASA and Firepower devices due to active exploitation campaigns that pose serious risks to U.S. federal systems.