CISA just issued Emergency Directive 25‑03 mandating actions to identify and mitigate a campaign exploiting zero‑day vulnerabilities in Cisco ASA / Firepower devices. While the directive is written for federal agencies, the threat is relevant to any organization using those platforms. Below is a summary, risk assessment, and recommended mitigations — along with what Forward Networks is doing to support customers.
What’s Going On
- Campaign targets Cisco ASA and Firepower / FTD appliances
- Exploits include unauthenticated RCE and privilege escalation
- Persistence observed via ROM manipulation
- Linked to 'ArcaneDoor' activity
- CVEs: CVE‑2025‑20333 (RCE) and CVE‑2025‑20362 (privilege escalation)
- Directive mandates inventory, forensic dumps, patching, and reporting
Why This Matters to Forward Customers
If you rely on Cisco ASA, ASAv, or Firepower/FTD appliances in your network perimeter or DMZ, your infrastructure may be at risk of compromise, persistent code injections, or deeper intrusion. Because firmware/ROM can be manipulated, reboots or software updates may not fully remove attackers.
Recommended Mitigations & Immediate Actions
| Priority | Action | Notes / Considerations |
| Inventory | Identify all Cisco ASA and Firepower / FTD devices | Include dev/test instances |
| Forensic Dump & Hunt | Perform core dumps / forensic data collection | Use CISA’s Core Dump and Hunt instructions |
| Assess compromise | Submit dumps for analysis | If compromise detected, disconnect device (don’t power off) |
| Patch / Update / Replace | Apply latest Cisco firmware or updates | Decommission EoL platforms that cannot be patched |
| Isolate / Quarantine | Isolate suspected compromised devices | Work through incident response plan |
| External Reporting | Review obligations for reporting | Especially for regulated / critical sectors |
| Ongoing monitoring | Increase logging, anomaly detection, integrity monitoring | Look for persistence or firmware tampering |
How Forward Can Help
- Real-Time KEV Tracking: Forward Enterprise integrates directly with the CISA Known Exploited Vulnerabilities (KEV) database. Customers can filter their device inventory to immediately see which assets are impacted by actively exploited CVEs, including the newly added CVE-2025-20333 and CVE-2025-20362. Forward SaaS CVE databases are automatically updated with CVE definitions. On-prem customers can schedule automatic updates to their CVE database.
- NQE-Powered Queries: The CISA Emergency Directive 25-03 query (see NQE query below) that focuses specifically on the CVE's outlined in Emergency Directive 25-03. This provides a precise, always-up-to-date view of devices susceptible to these particular vulnerabilities.
- Granular Device Insights: With a few clicks, users can drill down from the Vulnerability tab into specific devices, review failing CVEs, and generate prioritized reports for remediation or patch planning.
- Automated Detection & Validation: As the KEV catalog updates, Forward automatically refreshes vulnerability status, ensuring security teams don’t miss new critical entries.
- Support & Guidance: Our team is available to help you run KEV queries, interpret results, and plan remediation or decommissioning actions for affected ASA / Firepower devices.
CISA Emergency Directive 25-03 NQE Query
/*
Find devices where NIST CVE's are in CISA Emergency Directive 25-03.
While the directive is written for federal agencies,
the threat is relevant to any organization using Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense platforms.
Organizations should use the CISA Emergency Directive 25-03 catalog as an input to their vulnerability management prioritization framework.
More info on the CISA website: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices.
*/
ED2503 =
"""json
[{
"title": "CISA Emergency Directive 25-03: Cisco ASA / Firepower Vulnerabilities",
"vulnerabilities": [
{
"cveID": "CVE-2025-20362",
"vendorProject": "Cisco",
"product": "Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense",
"vulnerabilityName": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability",
"dateAdded": "2025-09-25",
"shortDescription": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.",
"requiredAction": "The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor\u2019s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
"dueDate": "2025-09-26",
"knownRansomwareCampaignUse": "Unknown",
"notes": "CISA Mitigation Instructions: https:\/\/www.cisa.gov\/news-events\/directives\/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions ; https:\/\/www.cisa.gov\/eviction-strategies-tool\/create-from-template ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/resources\/asa_ftd_continued_attacks ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/private\/resources\/asa_ftd_continued_attacks#Details ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-asaftd-webvpn-YROOTUW ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-20362",
"cwes": [
"CWE-862"
]
},
{
"cveID": "CVE-2025-20333",
"vendorProject": "Cisco",
"product": "Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense",
"vulnerabilityName": "Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability",
"dateAdded": "2025-09-25",
"shortDescription": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.",
"requiredAction": "The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor\u2019s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
"dueDate": "2025-09-26",
"knownRansomwareCampaignUse": "Unknown",
"notes": "CISA Mitigation Instructions: https:\/\/www.cisa.gov\/news-events\/directives\/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions ; https:\/\/www.cisa.gov\/eviction-strategies-tool\/create-from-template ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/resources\/asa_ftd_continued_attacks ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/private\/resources\/asa_ftd_continued_attacks#Details ; https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-asaftd-webvpn-z5xP8EUB ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-20333",
"cwes": [
"CWE-120"
]
}
]
}]
""";
getAllEd2503 =
foreach r in ED2503
foreach vuln in r.vulnerabilities
select vuln.cveID;
getED2503Attr(NistCve) =
foreach r in ED2503
foreach vuln in r.vulnerabilities
where matches(vuln.cveID, NistCve)
select {
ED2503AttrId: vuln.cveID,
ED2503AttrName: vuln.vulnerabilityName,
ED2503AttrAction: vuln.requiredAction,
ED2503AttrRansom: if vuln.knownRansomwareCampaignUse == "Known"
then true
else false,
ED2503AttrNotes: vuln.notes,
ED2503AttrDue: vuln.dueDate,
ED2503AttrVendor: vuln.vendorProject,
ED2503AttrProd: vuln.product
};
getImpactingCves(device) =
foreach cveFinding in device.cveFindings
where cveFinding.isVulnerable
select cveFinding;
getByBasis(impactingCves, basis) =
foreach cveFinding in impactingCves
where cveFinding.basis == basis
select cveFinding.cveId;
foreach device in network.devices
let impactingCves = getImpactingCves(device)
foreach deviceCVE in impactingCves
let ED2503Result = getED2503Attr(deviceCVE.cveId)
foreach i in ED2503Result
where matches(i.ED2503AttrId, deviceCVE.cveId)
select {
violation: true,
Device: device.name,
NistCVE: deviceCVE.cveId,
Basis: deviceCVE.basis,
ED2503Id: i.ED2503AttrId,
ED2503Name: i.ED2503AttrName,
Remedy: i.ED2503AttrAction,
KnownRansomWare: i.ED2503AttrRansom,
Notes: i.ED2503AttrNotes,
ED2503Vendor: i.ED2503AttrVendor,
ED2503Prod: i.ED2503AttrProd
}
What You Can Do Now
- Run your inventory — identify Cisco ASA / Firepower devices
- Engage network and security teams — treat this as high risk
- Plan for device replacement or migration if hardware is EoL
- Reach out to Forward Networks for assistance with forensics, patching, or isolation
Additional Resources:
