Tags:
CISA ED 25-03 Warns of Cisco ASA Device Compromises
Transcript
CISA ED 25 03 – Cisco Security Update: Multiple Critical Vulnerabilities Under Active Attack
Host: Chase Snyder
Recording Date: September 2025
Related Reading:
- Blog – Cisco SNMP Vulnerability CVE-2025-20352 Exploited in the Wild
- Blog – Surge in Cisco ASA Scanning Hints At Coming Cyberattacks
Current Threat Landscape Overview
Chase: Cisco is in the news and in the crosshairs of cyber attackers today, so we’re going to do a quick update on the threat landscape around Cisco because there are several different threads happening, multiple CVEs under attack being reported by different agencies and different publications. It’s difficult to untangle, but anybody with Cisco Adaptive Security Appliances or ASA and anybody with anything running Cisco iOS software needs to be aware and be moving urgently to mitigate these threats.
CISA Emergency Directive: Cisco ASA Vulnerabilities
Critical CVEs Under Attack
Chase: First up, CISA has issued an emergency directive, mandating federal agencies to identify and mitigate potential compromise of Cisco devices. Specifically, they’re identifying these two vulnerabilities in Cisco ASA, those adaptive security appliances, which function as a firewall and a VPN. The two vulnerabilities are designated CVE-2025-20333 and CVE-2025-20362, allowing respectively for remote code execution and privilege escalation.
ArcaneDoor Campaign Connection
Chase: They’re saying that they know of a widespread campaign exploiting these threats and they associate it with Arcane Door activity identified about two years ago now. So this is an urgent thing to fix and they have issued a series of required action for all agencies that essentially has to be finished in a week by October 2nd. So that is a tight timeline to be mitigating or getting compensating controls in for your Cisco ASA equipment.
Implications for Enterprise Organizations
Chase: Even though this emergency directive only actually applies to federal agencies, any organization, any enterprise of which there are many that has Cisco ASA devices should consider this a warning and should move urgently to patch these threats.
Separate Zero-Day Threat: iOS/iOS XE Vulnerability
Scale of Exposure
Chase: The other big story that’s happening right now is that ArsTechnica wrote up that as many as two million Cisco devices affected by an actively exploited zero day could be exposed to the internet. Basically they did a Shodan search and found up to two million devices that are affected by this SNMP vulnerability that is designated CVE-2025-20352.
Important Distinction Between CVEs
Chase: That is only one digit different than the Privilege Escalation CVE that’s referenced in the CISA emergency directive. So make sure to be precise when you’re talking about and approaching these things because there’s two huge Cisco stories emerging right now that are not directly related, but obviously if you have Cisco gear, this is a red flag.
Chase: This story, this CVE discussed in the Ars Technica story and many other publications, affects Cisco iOS and iOS XE operating systems. So many Cisco products run on these operating systems, but notably I think that the adaptive security appliance referenced in the CISA document does not run on this iOS. So these are two different lanes, but both things that are really important for you to address if you’re a Cisco shop.
Grey Noise Security Intelligence
Early Warning Signs
Chase: All of this follows on a report that was released by Grey Noise Security a couple of weeks ago about a huge spike in scanning of Cisco ASA devices. And they warned that there was a new vulnerability potentially incoming. They noticed that there was a big surge in scans for Cisco ASA devices. And it seems highly possible that now the Cisco ASA devices that were scanned and discovered at that time are under attack using these vulnerabilities that CISA is warning federal agencies to go patch.
Eclypsium’s Previous Analysis
Chase: At the time Eclypsium ourselves also went and wrote up that the surge in Cisco ASA devices hints at coming cyber attacks. It sucks to be right about something like that. But at the time, we also enumerated various ways that Eclypsium is able to support in detecting and mitigating and getting compensating controls in place to protect your Cisco gear.
Eclypsium Support and Mitigation
Detection and Assessment Capabilities
Chase: Eclypsium scans down to the firmware and the component level to make sure that you don’t have vulnerable versions or that you’re aware of any vulnerabilities in your Cisco gear. And we’re able to help detect and mitigate numerous CVEs, including things related to the Arcane Door campaign, as these two CVEs being warned about by CISA seem to be also related to that campaign.
End-of-Life Device Concerns
Chase: Particularly we want folks to be concerned about their end-of-life devices, because EOL devices that stop getting patches and updates are much more likely to have some sort of vulnerability in them that attackers are likely to go after.
Getting Support
Chase: If you are needing support, if you’re an Eclypsium customer or just someone who needs to figure out exactly what they need to do, please reach out.
Key Takeaways
- CISA has issued an emergency directive for federal agencies to patch Cisco ASA vulnerabilities CVE-2025-20333 and CVE-2025-20362 by October 2nd
- These ASA vulnerabilities are linked to the Arcane Door campaign and allow for remote code execution and privilege escalation
- A separate zero-day vulnerability (CVE-2025-20352) affects up to 2 million Cisco devices running iOS/iOS XE operating systems
- Grey Noise Security had previously detected increased scanning activity targeting Cisco ASA devices
- Organizations with Cisco equipment should treat these as urgent threats requiring immediate attention
- End-of-life devices are particularly vulnerable and require special attention
- Eclypsium provides firmware-level scanning and vulnerability detection for Cisco infrastructure