ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of War or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

ED 25-03 November 12, 2025 Implementation Note:
CISA is clarifying the necessary software versions to which agencies must update their Cisco devices in order to both comply with the ED 25-03 requirements and effectively secure in-scope Cisco devices from CVE-2025-20333 and CVE-2025-20362. Agencies should review the ED 25-03 Guidance for Device Updates and Patching for detailed information regarding the versions required to mitigate the vulnerabilities above and maintain compliance with the ED. CISA identified, through analysis of agency reported data, instances of agencies marking devices as “patched,” but which agencies updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. Additionally, CISA has become aware that agencies have had trouble finding the latest software versions for Cisco ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance.

ED 25-03 November 12, 2025 Implementation Note:

CISA is clarifying the necessary software versions to which agencies must update their Cisco devices in order to both comply with the ED 25-03 requirements and effectively secure in-scope Cisco devices from CVE-2025-20333 and CVE-2025-20362. Agencies should review the ED 25-03 Guidance for Device Updates and Patching for detailed information regarding the versions required to mitigate the vulnerabilities above and maintain compliance with the ED. CISA identified, through analysis of agency reported data, instances of agencies marking devices as “patched,” but which agencies updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. Additionally, CISA has become aware that agencies have had trouble finding the latest software versions for Cisco ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled.

For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance.

Background

CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances' Secure Boot would detect the identified manipulation of the ROM.

CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems:

CVE-2025-20333 – allows for remote code execution
CVE-2025-20362 – allows for privilege escalation

CISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this Directive.

CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign.

Required Actions

This Emergency Directive requires agencies to take the following actions:

Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.

For all public-facing Cisco ASA hardware appliances:

Follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3 and submit core dump(s) via the Malware Next Gen portal by 11:59PM EDT on September 26, 2025.
1. If the result is “Compromise Detected,” agencies must immediately disconnect the device from their network (but do not power off), report the incident to CISA, and work with CISA on incident response and eviction actions.
2. If the result is “No Compromise Detected” agencies may proceed to requirement 3 and 4.

If the result is “No Compromise Detected”:

For ASA hardware models with an end of support date on or before September 30, 2025, take the following action:
1. Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.
2. Agencies that cannot meet this requirement must apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, report to CISA mission critical needs preventing such action and plans for eventual decommissioning of the device as directed by requirement 6.
For ASA hardware models with an end of support date of August 31, 2026: Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.

For all ASAv and Firepower FTD:

Download and apply the latest Cisco-provided updates for software by 11:59PM EDT on September 26, 2025, and apply all subsequent updates via Cisco’s download portal within 48 hours of release.

All agencies, regardless of the results of requirement 2, must:

By 11:59 PM EDT on October 2, 2025, report to CISA (using the provided template) a complete inventory of all instances of products within scope on agency networks, including details on actions taken and results.

These required actions apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP-authorized cloud service providers and work directly with service providers that are not FedRAMP-authorized.

All other provisions specified in this Directive remain applicable.

Note: entities outside of the Federal Executive Branch that wish to perform the actions outlined in this section may follow the same CISA instructions to collect and upload a core dump file to CISA for analysis.

CISA Actions:

CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
CISA can provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
By February 1, 2026, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
Reporting indications of compromise – contact@cisa.dhs.gov

For further instructions on how to perform a “core dump” please visit https://cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions

For eviction guidance please visit https://www.cisa.gov/eviction-strategies-tool/create-from-template