ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of War or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B). 

V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

V1

Original Issuance Date: September 25, 2025

Updated April 23, 2026

Background

CISA is issuing V1 to supersede the required actions in Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. V1 provides updated and new required actions, an additional reporting requirement, and applies to any agency running affected products. V1 expands on the original ED 25-03 requirements with required actions three, four, and six.

The revision to ED 25-03 is in response to updated cyber threat intelligence concerning threat actors retaining persistence and continued unauthorized access to Cisco Firepower and Secure Firewall products with Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA analysis determines that applying the Cisco-provided security updates required by the original issuance of ED 25-03 does not necessarily remove an existing threat actor from the compromised device. Agencies who have completed the security update requirements are still susceptible to persistence and therefore must complete the updated required actions within this V1 ED.

CISA analysis continues to assess the following CVEs as an unacceptable risk to Federal Civilian and Executive Branch (FCEB) information systems:

• CVE-2025-20333 – allows for remote code execution
• CVE-2025-20362 – allows for privilege escalation

In conjunction with this ED update, CISA released the FIRESTARTER Backdoor Malware Analysis Report with further details about the threat actor activity, malware functionality, detection methods, and mitigations.

Scope

This Directive applies to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. This Directive does not apply to contractors, but FCEB agencies may need to modify contracts to comply with the required actions of this Directive.

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP-authorized cloud service providers and work directly with service providers that are not FedRAMP-authorized.

All other provisions specified in this Directive remain applicable.

Note: Entities outside of the FCEB that wish to perform the actions outlined in this section may follow the same CISA instructions to collect and upload a core dump file to CISA for analysis.

Required Actions

This ED requires agencies to take the following actions:

For all public-facing Cisco ASA devices:

1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv]).
2. For all public-facing Cisco ASA hardware appliances identified in required action 1, follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3 and submit core dump(s) via the Malware Next Gen portal by 11:59PM EST on September 26, 2025.
   1. If the result is “Compromise Detected,” agencies must immediately disconnect the device from their network (but do not power off), report the incident to CISA, and work with CISA on incident response and eviction actions.
   2. If the result is “No Compromise Detected,”:
      1. For ASA hardware models with an end-of-support date on or before September 30, 2025, take the following action:
         1. Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.
         2. Agencies that cannot meet this requirement must apply the latest Cisco-provided updates for software by 11:59PM EST on September 26, 2025, report to CISA mission critical needs preventing such action and plans for eventual decommissioning of the device as directed by requirement 5.
      2. For ASA hardware models with an end-of-support date of August 31, 2026: Download and apply the latest Cisco-provided updates for software by 11:59PM EST on Sept. 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.
      3. [New Requirement] For any newly identified ASA hardware models, follow the requirements outlined in BOD 26-02: Mitigating Risk From End-of-Support Edge Devices.
   3. For all ASAv instances identified in required action 1, download and apply the latest Cisco-provided updates for software by 11:59PM EST on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.

For public-facing Cisco Firepower and Secure Firewall devices:

3. [New Requirement] Immediately identify all Firepower 1000, 2100, 4100, 9300 series and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices.
4. [New Requirement] For devices identified in required action 3, follow CISA’s step-by-step Core Dump and Hunt Instructions and submit core dump(s) via the Malware Next Gen portal by 11:59PM EST on April 24, 2026.
   1. If the result is “Compromise Detected,” agencies must: keep the device powered on, immediately disconnect the device from their network, and report the incident to CISA, and work with CISA on incident response, forensics, and eviction actions.
   2. If the result is “No Compromise Detected,” agencies must:
      1. Download and apply the latest Cisco-provided updates for software by 11:59PM EST on April 24, 2026. This includes:
         1. The software updates to address CVE-2025-20333 and CVE-2025-20362, if not already patched; and,
         2. The recently released patch created for this specific persistence issue (links provided by device type in CISA’s step-by-step Core Dump and Hunt Instructions).
      2. Perform a hard reset of the device(s) by physically unplugging the device’s power supply, as a reboot is not sufficient to expunge the malware, no later than April 30, 2026.
         1. Follow CISA’s step-by-step Core Dump and Hunt Instructions, which includes further guidance if a hard reset of the device cannot occur immediately after patch implementation.
      3. Apply all subsequent updates via Cisco’s download portal within 48 hours of release.

All agencies must:

5. By 11:59 PM EST on October 2, 2025, report to CISA (using the provided template) a complete inventory of all instances of products within scope on agency networks, including details on actions taken and results.
6. [New Requirement] By 11:59 PM EST on May 1, 2026, report to CISA (using the provided template) a complete inventory of all Firepower 1000, 2100, 4100, 9300 series and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices including details on actions taken and results.

CISA Actions:

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA can provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
4. By February 1, 2026, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.
5. [New Action] By August 1, 2026, CISA will provide an updated report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise – contact@cisa.dhs.gov

For more information on the threat actor activity, malware functionality, detection methods, and mitigations please see CISA’s FIRESTARTER Backdoor Malware Analysis Report https://www.cisa.gov/news-events/analysis-reports/ar26-113a

For further instructions on how to perform a “core dump” please visit https://cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions

For eviction guidance please visit https://www.cisa.gov/eviction-strategies-tool/create-from-template

ED 25-03 November 12, 2025 Implementation Note:

CISA is clarifying the necessary software versions to which agencies must update their Cisco devices in order to both comply with the ED 25-03 requirements and effectively secure in-scope Cisco devices from CVE-2025-20333 and CVE-2025-20362. Agencies should review the ED 25-03 Guidance for Device Updates and Patching for detailed information regarding the versions required to mitigate the vulnerabilities above and maintain compliance with the ED. CISA identified, through analysis of agency reported data, instances of agencies marking devices as “patched,” but which agencies updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. Additionally, CISA has become aware that agencies have had trouble finding the latest software versions for Cisco ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance.

Background

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances' Secure Boot would detect the identified manipulation of the ROM.  

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems:

• CVE-2025-20333 – allows for remote code execution
• CVE-2025-20362 – allows for privilege escalation

CISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this Directive.

CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign. 

Required Actions

This Emergency Directive requires agencies to take the following actions:

1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.

For all public-facing Cisco ASA hardware appliances:

2. Follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3 and submit core dump(s) via the Malware Next Gen portal by 11:59PM EDT on September 26, 2025.
   1. If the result is “Compromise Detected,” agencies must immediately disconnect the device from their network (but do not power off), report the incident to CISA, and work with CISA on incident response and eviction actions.  
   2. If the result is “No Compromise Detected” agencies may proceed to requirement 3 and 4. 

If the result is “No Compromise Detected”:

3. For ASA hardware models with an end of support date on or before September 30, 2025, take the following action:  
   1. Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.
   2. Agencies that cannot meet this requirement must apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, report to CISA mission critical needs preventing such action and plans for eventual decommissioning of the device as directed by requirement 6.
4. For ASA hardware models with an end of support date of August 31, 2026: Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.  

For all ASAv and Firepower FTD:

5. Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release. 

All agencies, regardless of the results of requirement 2, must:

6. By 11:59 PM EDT on October 2, 2025, report to CISA (using the provided template) a complete inventory of all instances of products within scope on agency networks, including details on actions taken and results.

These required actions apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. 

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP-authorized cloud service providers and work directly with service providers that are not FedRAMP-authorized. 

All other provisions specified in this Directive remain applicable.

Note: entities outside of the Federal Executive Branch that wish to perform the actions outlined in this section may follow the same CISA instructions to collect and upload a core dump file to CISA for analysis.  

CISA Actions:

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA can provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
4. By February 1, 2026, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise – contact@cisa.dhs.gov

For further instructions on how to perform a “core dump” please visit https://cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions

For eviction guidance please visit https://www.cisa.gov/eviction-strategies-tool/create-from-template