The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on Thursday, saying there is "an unacceptable risk" to government systems if Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices are left unpatched. Federal agencies have been given just 24 hours to identify affected kit, check logs for compromise, and apply Cisco's fixes. CISA also warned that any ASA boxes hitting end-of-life on September 30 shouldn't just be patched - they need to be yanked off networks for good.
Tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), the bugs impact the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. The issues, Cisco explains, exist because user-supplied input in HTTP(S) requests is not properly validated, allowing a remote attacker to send crafted requests and execute arbitrary code with root privileges or access a restricted URL without authentication.
The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch Cisco devices that have been exploited by an advanced hacker group, it said in a Thursday alert. The hacking activity targeting the devices "is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution" on various Cisco Adaptive Security Appliances, CISA said. A "zero-day" refers to a software flaw that's being exploited but has not been previously discovered, giving developers zero days to fix it.