US Government tells agencies to patch Cisco firewalls immediately, or face attack

News
By published

State-sponsored attacker is leveraging two Cisco zero-days

Cisco
(Image credit: Shutterstock / Valriya Zankovych)
  • CISA warns of active exploitation of two critical Cisco vulnerabilities
  • Attackers modify ROM to persist across reboots; linked to state-sponsored group ArcaneDoor
  • Agencies must patch, analyze, and report Cisco device status by October 2, 2025

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging government agencies to address two worrying Cisco security vulnerabilities, warning threat actors are actively exploiting the flaws.

As per Emergency Directive 25-03, published on September 25, 2025, CISA said there is a “widespread” attack campaign targeting Cisco Adaptive Appliances and Firepower firewall devices.

In the campaign, the attackers are modifying read-only memory (ROM) to persist across reboots and upgrades. To achieve this persistence, threat actors are leveraging two flaws: CVE-2025-20333 (remote code execution), and CVE-2025-20362 (privilege escalation). While the latter has a medium rating (6.3/10), the former is deemed critical, with a 9.9/10 score.

State activity

To make matters worse, Cisco believes the issues two are being exploited by a group tracked as ArcaneDoor (or Storm-1849 by Microsoft).

The cybersecurity community believes ArcaneDoor to be a state-sponsored threat actor, but it is yet unknown which state it belongs to.

“Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024,” CISA said in the report.

Now, federal agencies must act quickly and defend their infrastructure, or risk getting attacked.

That includes running inventory of all Cisco ASA and Firepower devices, running forensic analysis using CISA’s core dump and hunt instructions, disconnecting compromised or end-of-life devices, and applying updates. After that, agencies are ordered to report their findings and inventory back to CISA by October 2, 2025.

In the meantime, both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a three-week deadline (until October 16) to patch up or stop using the vulnerable tools altogether.

CISA did not mention who ArcaneDoor is targeting, but generally speaking, besides government and public sector organizations, Cisco’s ASA and Firepower devices are widely used by enterprises and corporations, managed security service providers, and education & research firms.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.