The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 25 ordered that federal agencies patch two vulnerabilities in Cisco ASA and Firepower firewall devices, one of them critical, that were exploited in the wild.CISA identified two vulnerabilities: CVE-2025-20333, a critical 9.9 remote code execution flaw, and CVE-2025-20362, a medium-severity 6.5 privilege escalation bug.According to CISA, attacks on Cisco ASA firewalls represent a widespread campaign connected to ArcaneDoor, a state-sponsored threat actor targeting Cisco gear that the large networking vendor initially identified in April 2024."This is an important alert,” said Jason Fruge, resident CISO at XM Cyber. “Advanced threat actors are increasingly leveraging multiple CVEs in combination — even those with lower individual severity ratings — to maximize their impact and persistence.”Fruge said this threat demands immediate action from all users of the affected Cisco ASA products, not just federal agencies. “Organizations must take CISA’s warning seriously and apply the necessary patches without delay,” said Fruge.David Matalon, chief executive officer at Venn, added that when a critical firewall vulnerability surfaces, it’s a reminder of just how much trust organizations place in perimeter defenses — and how quickly that trust can be undermined.“Firewalls are often seen as the first and last line of defense, which makes them a prime target for attackers,” said Matalon. “Security teams need to patch immediately, but also recognize that patching alone isn’t a strategy. These events highlight why organizations should assume that edge devices can and will be compromised, and why security models must extend beyond the perimeter to protect data at the user and device level.Heath Renfrow, co-founder and chief information security officer at Fenix24, said CISA doesn’t issue emergency directives lightly. Renfrom said the agency sent a clear signal that Cisco ASA/Firepower edge devices are being actively targeted and that exploitation is straightforward enough for an actor to gain persistence and pivot into networks.Renfrow offered the following advice to security teams:
- Identify and account for every ASA/FTD, including any forgotten branch or lab units. If it’s at end-of-support, disconnect it.
- Patch immediately to Cisco’s fixed releases and follow Cisco’s “continued attacks” guidance. Do not wait for a maintenance window.
- Assume attackers have already hit the edge. Pull device tech-support bundles and run compromise assessments using CISA’s procedures; if indicators are found, treat the device as compromised infrastructure (wipe/rebuild from known-good images, not just patch-in-place).
- Reduce attack surface immediately: If the team doesn’t need WebVPN/Clientless SSL VPN, turn it off. Restrict management plane (no Internet-exposed ASDM/SSH/HTTPS; use out-of-band/VPN-only admin). Geo/IP allow-lists and no split-tunnel admin paths.
- Rotate local/admin accounts on the devices, rotate AnyConnect and IdP secrets, and invalidate cached SSO sessions that touched the ASA/FTD.
- Enable detailed logging, export to the SIEM, and hunt for anomalous WebVPN requests and config changes around the disclosure window; add IDS/IPS detections from your vendor.
- Create temporary VPN access restrictions (per-user, per-group, per-country). Rate-limit and WAF/CDN in front of portal if feasible. Short-term maintenance banners to discourage portal probing. (These buy time, they don’t fix exposure.)




