CISA Warns of Federal Agencies Not Fully Patching Actively Exploited Cisco ASA or Firepower Devices

Posted on By CWS

The Cybersecurity and Infrastructure Safety Company (CISA) has issued a essential alert relating to federal businesses.

Failing to correctly patch Cisco Adaptive Safety Home equipment (ASA) and Firepower Menace Protection (FTD) gadgets in opposition to actively exploited vulnerabilities.

Below Emergency Directive 25-03, CISA has recognized two extreme CVEs posing unacceptable dangers to federal data methods:

CVE-2025-20333, which allows distant code execution, and CVE-2025-20362, which permits privilege escalation.

Patch Standing on Crucial Cisco Gadgets

Energetic exploitation of those vulnerabilities has been detected throughout federal civilian govt department (FCEB) businesses.

The first concern stems from a essential discovery throughout CISA’s evaluation of company compliance studies.

CVE IDVulnerability TypeImpactCVE-2025-20333Remote Code ExecutionAllows unauthenticated attackers to execute arbitrary codeCVE-2025-20362Privilege EscalationAllows authenticated attackers to escalate privileges

Quite a few gadgets marked as “patched” in official reporting templates had been discovered operating outdated software program variations that stay weak to energetic threats.

This distinction signifies that businesses misunderstood patch necessities or deployed incomplete updates.

CISA emphasizes that businesses should replace ALL ASA and Firepower gadgets to the minimal required software program variations, not simply public-facing tools.

Susceptible software program trains embody ASA variations 9.12 by way of 9.22 and Firepower variations 7.0 by way of 7.6, every requiring particular minimal patch ranges.

For ASA gadgets, the minimal required variations are: 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, and 9.22.2.14. ASA variations 9.17 and 9.19 require migration to supported releases.

Firepower gadgets should run at the least 7.0.8.1, 7.2.10.2, 7.4.2.4, or 7.6.2.1, relying on their present launch prepare. Emergency Directive 25-03 mandates patch deployment inside 48 hours of launch.

Companies working public-facing ASA {hardware} should execute CISA’s Core Dump and Hunt procedures and submit findings through the Malware Subsequent Gen portal earlier than patching.

Non-compliant businesses should resubmit ED 25-03 compliance studies by way of CyberScope. CISA will straight contact recognized non-compliant businesses to make sure corrective actions are accomplished instantly.

This enforcement motion underscores the essential significance of complete patching methods throughout all gadget classes inside federal networks.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

PoC Exploit Released for CrushFTP 0-day Vulnerability (CVE-2025-54309) Cyber Security News
Salt Typhoon Using Zero-Day Exploits and DLL Sideloading Techniques to Attack Organizations Cyber Security News
Lumma Affiliates Using Advanced Evasion Tools Designed to Ensure Stealth and Continuity Cyber Security News
Weaponized DMV-Themed Phishing Attacking U.S. Citizens to Harvest Personal and Financial Data Cyber Security News
OpenAI is to Launch a AI Web Browser in Coming Weeks Cyber Security News
OpenSSL Vulnerabilities Let Attackers Execute Malicious Code and Recover Private Key Remotely Cyber Security News