The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding federal agencies.
Failing to properly patch Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices against actively exploited vulnerabilities.
Under Emergency Directive 25-03, CISA has identified two severe CVEs posing unacceptable risks to federal information systems:
CVE-2025-20333, which enables remote code execution, and CVE-2025-20362, which allows privilege escalation.
Patch Status on Critical Cisco Devices
Active exploitation of these vulnerabilities has been detected across federal civilian executive branch (FCEB) agencies.
The primary concern stems from a critical discovery during CISA’s analysis of agency compliance reports.
CVE IDVulnerability TypeImpactCVE-2025-20333Remote Code ExecutionAllows unauthenticated attackers to execute arbitrary codeCVE-2025-20362Privilege EscalationAllows authenticated attackers to escalate privileges
Numerous devices marked as “patched” in official reporting templates were found running outdated software versions that remain vulnerable to active threats.
This difference indicates that agencies misunderstood patch requirements or deployed incomplete updates.
CISA emphasizes that agencies must update ALL ASA and Firepower devices to the minimum required software versions, not just public-facing equipment.
Vulnerable software trains include ASA versions 9.12 through 9.22 and Firepower versions 7.0 through 7.6, each requiring specific minimum patch levels.
For ASA devices, the minimum required versions are: 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.18.4.67, 9.20.4.10, and 9.22.2.14. ASA versions 9.17 and 9.19 require migration to supported releases.
Firepower devices must run at least 7.0.8.1, 7.2.10.2, 7.4.2.4, or 7.6.2.1, depending on their current release train. Emergency Directive 25-03 mandates patch deployment within 48 hours of release.
Agencies operating public-facing ASA hardware must execute CISA’s Core Dump and Hunt procedures and submit findings via the Malware Next Gen portal before patching.
Non-compliant agencies must resubmit ED 25-03 compliance reports through CyberScope. CISA will directly contact identified non-compliant agencies to ensure corrective actions are completed immediately.
This enforcement action underscores the critical importance of comprehensive patching strategies across all device categories within federal networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Federal Agencies Not Fully Patching Actively Exploited Cisco ASA or Firepower Devices appeared first on Cyber Security News.
