November 12, 2025
Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices states that CISA has assessed that the following CVEs pose an unacceptable risk to federal information systems:
- – allows for remote code execution
- – allows for privilege escalation
CISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this Directive.
In CISA’s analysis of agency-reported data, CISA has identified devices marked as “patched” in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the ED. CISA is tracking active exploitation of these vulnerable versions in FCEB agencies. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance. As a reminder, the ED requires that agencies update ALL ASA and Firepower devices, not just public-facing devices, to the latest patch immediately to avoid exploitation.
For further clarification, agencies need to be running minimum required software versions that mitigates both CVEs identified in ED 25-03. Please see the tables below for relevant software trains:
