Stylized firewall device with CVE warnings and CISA ED 25-03 patch now banner

CISA ED 25-03: Cisco ASA Exploited—What Orgs Must Do Now

by

RedSecNinja

TL;DR

On September 25, 2025, CISA issued Emergency Directive ED 25-03 requiring federal agencies to find and mitigate compromises of Cisco Secure Firewall ASA and Firepower devices, citing active exploitation of CVE-2025-20333 (RCE) and CVE-2025-20362 (auth bypass). These CVEs are now in the KEV catalog. A separate—but concurrent—zero-day (CVE-2025-20352) affects Cisco IOS/IOS XE’s SNMP subsystem and has massive internet exposure. Even if you’re not a federal agency, you should patch, audit for indicators of compromise, and lock down VPN web services now.

What’s new and why it matters

CISA’s directive explicitly names CVE-2025-20333 (remote code execution) and CVE-2025-20362 (privilege escalation/unauthorized access) as actively exploited and mandates specific actions on a tight timeline. The agency also put both into the Known Exploited Vulnerabilities catalog—an indicator that exploitation has moved beyond isolated incidents.

What the Cisco advisories say

Cisco’s PSIRT advisories describe CVE-2025-20333 as a VPN web server issue that can lead to root-level RCE on ASA/FTD appliances, and CVE-2025-20362 as a missing-authorization flaw allowing access to restricted endpoints on the same VPN web service. Cisco has also published “continued attacks” guidance consolidating mitigation and investigation pointers.

Don’t confuse ASA with the IOS/IOS XE zero-day

At the same time, Cisco disclosed CVE-2025-20352 in IOS/IOS XE SNMP, an actively exploited issue distinct from the ASA web-VPN problems. Reporting indicates exposure could reach into the millions of devices on public networks, underscoring how perimeter gear remains a prime target. Check both tracks in your patch plans.

Pre-exploitation signal: scanning spikes

GreyNoise flagged two late-August scanning surges against ASA portals—more than 25,000 unique IPs—well above baseline, a classic harbinger of incoming exploitation and consistent with what we’re now seeing post-disclosure.

What to do today

Inventory every ASA/FTD and confirm software versions against Cisco advisories. Patch or apply the prescribed mitigations immediately, especially if VPN web services are exposed to the internet. Review logs and configs for evidence of tampering (e.g., disabled logging, unusual crashes) and hunt for web-service anomalies tied to the VPN portals. If you operate IOS/IOS XE devices, apply the SNMP advisory guidance and consider temporarily restricting SNMP exposure where feasible until updates are rolled out. Finally, treat end-of-life hardware as high risk and plan for accelerated replacement.

References

  • CISA ED 25-03: “Identify and Mitigate Potential Compromise of Cisco Devices” (Directive + required actions).
  • CISA Alert: Announcement and KEV additions for CVE-2025-20333 and CVE-2025-20362 (Sept. 25, 2025).
  • Cisco PSIRT (ASA/FTD): CVE-2025-20333 remote code execution (VPN web server).
  • Cisco PSIRT (ASA/FTD): CVE-2025-20362 missing authorization (VPN web server).
  • Cisco advisory (IOS/IOS XE): CVE-2025-20352 SNMP vulnerability.
  • GreyNoise: Surge in ASA scanning ahead of exploitation.
  • NVD entries: Technical summaries for CVE-2025-20333 and CVE-2025-20362.
  • Tenable / Unit 42 context: FAQ and third-party analysis of the ASA/FTD zero-days.

Comments

Leave a comment