CISA Instructs Federal Agencies to Patch Zero-Day Flaws in Cisco Firewall Devices
Updated: September 26, 2025, 16:15 EDT
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to federal agencies to patch two zero-day vulnerabilities that affect certain Cisco Systems Inc. devices, specifically the ASA 5500-X Series family of firewall appliances. The directive was announced on Thursday, and it comes as a response to a growing threat landscape that highlights the importance of timely software updates.
The Vulnerabilities
CISA officials have identified two zero-day vulnerabilities in question, CVE-2025-20362 and CVE-2025-20333. The former makes it possible for hackers to bypass the VPN's authentication feature and access network assets that are usually off-limits. The latter vulnerability enables hackers to gain root access, with a severity rating of 9.9 out of a maximum 10.
The Exploitation Scenario
According to Cisco, hackers can exploit these vulnerabilities only if customers activate the affected devices' built-in virtual private networking (VPN) feature. The exploitation scenario involves using the VPN feature to gain unauthorized access to network assets or gain root access on the device.
The State-Backed Hacking Campaign
Cisco has linked the use of these vulnerabilities to a state-backed hacking campaign dubbed ArcaneDoor, which was first discovered in 2024. The campaign involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs (Cisco's ASA Series firewalls) and manipulating read-only memory (ROM) to persist through reboot and system upgrade.
The Bootkit Malware
Hackers used the disclosed zero-day flaws to install bootkit malware. When users power on an infected device, the bootkit activates before the operating system launches. This allows the malware to remain on a system even if administrators reboot it or update the onboard firmware.
The Impact of the Attack
Cisco determined that the hackers used the vulnerabilities to download data, install malware, and run terminal commands. The hackers actively worked to evade detection, disabling compromised devices' logging mechanism, which made it more difficult to collect technical data about the breaches. In some cases, the hackers crashed infected systems to prevent diagnosis.
The Fix
Cisco patched the vulnerabilities on Thursday, and it also released a fix for a third exploit that affects several of its software products. So far, Cisco has found no indication that the latter flaw is being used in cyberattacks.
The Response from CISA
CISA has instructed federal agencies to create an inventory of the vulnerable ASA systems in their networks. If a device has been breached or won't be eligible for software updates after September 30, it must be disconnected. Devices that don’t meet those criteria must be patched by 11:59 p.m. EDT today.
The Importance of Software Updates
This incident highlights the importance of timely software updates and the need for federal agencies to prioritize their cybersecurity efforts. The use of zero-day vulnerabilities and the installation of bootkit malware demonstrate the sophistication and persistence of state-backed hacking campaigns, making it essential for organizations to stay vigilant and proactive in protecting themselves against these threats.
Finding Out More
If you are a federal agency or have an organization that uses Cisco firewall devices, it is crucial to check the official CISA website for more information on the patching process and potential vulnerabilities. Remember, software updates are essential to preventing cyberattacks, and prompt action can help protect your organization from these threats.