CISA Warns of Federal Agencies Not Fully Patching Actively Exploited Cisco ASA or Firepower Devices

Posted on By CWS

The Cybersecurity and Infrastructure Safety Company (CISA) has issued a essential alert relating to federal businesses.

Failing to correctly patch Cisco Adaptive Safety Home equipment (ASA) and Firepower Menace Protection (FTD) gadgets in opposition to actively exploited vulnerabilities.

Below Emergency Directive 25-03, CISA has recognized two extreme CVEs posing unacceptable dangers to federal data methods:

CVE-2025-20333, which allows distant code execution, and CVE-2025-20362, which permits privilege escalation.

Patch Standing on Crucial Cisco Gadgets

Energetic exploitation of those vulnerabilities has been detected throughout federal civilian govt department (FCEB) businesses.

The first concern stems from a essential discovery throughout CISA’s evaluation of company compliance studies.

CVE IDVulnerability TypeImpactCVE-2025-20333Remote Code ExecutionAllows unauthenticated attackers to execute arbitrary codeCVE-2025-20362Privilege EscalationAllows authenticated attackers to escalate privileges

Quite a few gadgets marked as “patched” in official reporting templates had been discovered operating outdated software program variations that stay weak to energetic threats.

This distinction signifies that businesses misunderstood patch necessities or deployed incomplete updates.

CISA emphasizes that businesses should replace ALL ASA and Firepower gadgets to the minimal required software program variations, not simply public-facing tools.

Susceptible software program trains embody ASA variations 9.12 by way of 9.22 and Firepower variations 7.0 by way of 7.6, every requiring particular minimal patch ranges.

For ASA gadgets, the minimal required variations are: 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, and 9.22.2.14. ASA variations 9.17 and 9.19 require migration to supported releases.

Firepower gadgets should run at the least 7.0.8.1, 7.2.10.2, 7.4.2.4, or 7.6.2.1, relying on their present launch prepare. Emergency Directive 25-03 mandates patch deployment inside 48 hours of launch.

Companies working public-facing ASA {hardware} should execute CISA’s Core Dump and Hunt procedures and submit findings through the Malware Subsequent Gen portal earlier than patching.

Non-compliant businesses should resubmit ED 25-03 compliance studies by way of CyberScope. CISA will straight contact recognized non-compliant businesses to make sure corrective actions are accomplished instantly.

This enforcement motion underscores the essential significance of complete patching methods throughout all gadget classes inside federal networks.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

Leak Zone Dark Web Forum Database Exposes 22 Million Users’ IP Addresses and Locations Cyber Security News
Interlock Ransomware With Double Extortion Tactics Attacking Windows and Linux Systems Cyber Security News
TamperedChef Malware as PDF Editor Harvest Browser Credentials and Allows Backdoor Access Cyber Security News
Wikipedia Lost Legal Battle Against The UK’s Online Safety ACT Regulations Cyber Security News
Insecure GitHub Actions in Open Source Projects MITRE and Splunk Exposes Critical Vulnerabilities Cyber Security News
SystemBC Botnet Hacked 1,500 VPS Servers Daily to Hire for DDoS Attack Cyber Security News