Today, CISA issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362
to the Known Exploited Vulnerabilities Catalog.
The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately. Agencies must:
- Identify all instances of Cisco ASA and Cisco Firepower devices in operation (all versions).
- Collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST Sept. 26.
For detailed guidance, including additional actions tailored to each agency’s status, refer to the full Emergency Directive ED 25-03.
The following associated resources are available to assist agencies.
- Supplemental Direction ED 25-03: Core Dump and Hunt Instructions
- Eviction Strategies Tool with a Cisco ASA Compromise template to assemble a comprehensive eviction plan with distinct countermeasures for containment and eviction which can be tailored to individual network owners’ specific needs.
- Known Exploited Vulnerabilities Catalog
- Cisco Security Advisories:
CVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution VulnerabilityCVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access VulnerabilityUnited Kingdom National Cyber Security Centre (NCSC):
Malware Analysis Report: RayInitiator & LINE VIPERAlthough ED 25-03 and the associated supplemental guidance are directed to federal agencies, CISA urges all public and private sector organizations to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities.
