Executive Summary

CISA has issued an urgent update to its implementation guidance for Emergency Directive 25-03, originally released in September 2025. The directive addresses two critical, actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices: CVE-2025-20333 (RCE, CVSS 9.9) and CVE-2025-20362 (Privilege Escalation, CVSS 6.5). Despite the initial warning, threat actors, including the China-linked group Storm-1849 (also known as ArcaneDoor), continue to exploit these flaws. CISA's new guidance, released on November 12, warns that many organizations failed to apply the correct software versions, leaving their edge devices vulnerable. The update provides clear instructions for corrective patching and additional steps for potentially compromised devices.

Threat Overview

The continued exploitation of these Cisco vulnerabilities highlights a persistent challenge in cybersecurity: the gap between patch availability and successful patch deployment. The two vulnerabilities, when chained, allow a remote attacker to execute arbitrary code and gain full control of a device. Nation-state actors like Storm-1849 are particularly interested in these flaws, as compromising edge devices like the Cisco ASA provides a strategic foothold for long-term persistence, espionage, and reconnaissance within target networks.

CISA's investigation found that many federal agencies and other organizations believed they were protected after applying updates, but had not installed the minimum required software versions specified by Cisco, thus remaining vulnerable. This gap in compliance has allowed attackers to continue their campaigns unabated.

Vulnerability Details

• CVE-2025-20333 - Cisco ASA and FTD Software Remote Code Execution Vulnerability (KEV)

  • CVSS Score: 9.9 (Critical)
  • Impact: Allows an unauthenticated, remote attacker to execute arbitrary code on an affected device.

• CVE-2025-20362 - Cisco ASA and FTD Software Privilege Escalation Vulnerability (KEV)

  • CVSS Score: 6.5 (Medium)
  • Impact: Allows an authenticated, local attacker to escalate privileges to the root level.

CISA's Updated Guidance

The new guidance from November 12 provides several key directives:

1. Corrective Patching: Agencies are instructed to verify that they have installed the correct, specific software versions required to mitigate the vulnerabilities, not just any recent update.
2. Additional Mitigations: For devices that were not patched correctly by the original September 26 deadline, CISA recommends additional mitigation and hunting actions, as these devices should be considered potentially compromised.
3. Forensic Analysis: CISA is urging organizations to use its provided RayDetect scanner tool to analyze Cisco ASA core dumps for signs of compromise, specifically looking for implants or modifications associated with the Storm-1849 threat actor.

Impact Assessment

The failure to correctly patch these critical vulnerabilities leaves organizations, including federal agencies, exposed to espionage and network intrusion by sophisticated state-sponsored actors. A compromised network security appliance is a catastrophic failure, as it can be used to bypass all other network defenses, monitor traffic, and serve as a persistent beachhead for deeper attacks. The focus on these edge devices by groups like Storm-1849 underscores their value as primary targets for intelligence gathering.

Detection & Response

• Run RayDetect Scanner: All organizations with Cisco ASA devices should use CISA's RayDetect tool to scan core dumps for evidence of compromise. This is a critical step, especially for devices not patched by the original deadline.
• Log and Traffic Analysis: Monitor firewall logs for any anomalous activity, such as unexpected reboots, configuration changes, or outbound connections from the device itself. Use Network Traffic Analysis (D3-NTA) to spot suspicious C2 traffic.
• Integrity Monitoring: Monitor the integrity of the device's operating system and configuration files for any unauthorized changes. This is an application of D3FEND's System File Analysis (D3-SFA).

Mitigation and Remediation

• Verify Patches: Do not assume you are safe. Verify that the exact software versions specified in Cisco's and CISA's advisories are installed. Remove the device from the network and re-image it if the correct version is not applied.
• Apply Updates: If not already done, immediately apply the correct patches to all vulnerable Cisco ASA and Firepower devices. This is a direct application of D3FEND's Software Update (D3-SU).
• Restrict Management Access: The management interfaces of these devices should never be exposed to the internet. Restrict access to a dedicated, secure management network. Implement Network Isolation (D3-NI) for management planes.
• Assume Compromise: For any device that was vulnerable and internet-facing after the exploits became public, organizations should assume compromise and initiate their incident response and threat hunting procedures.