CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

CISA issued Emergency Directive 25-03 to address zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor linked to the ArcaneDoor campaign. Federal agencies must identify and mitigate affected devices by September 26, 2025. The vulnerabilities allow persistent access to victims' networks through reboots and system upgrades. The directive mandates forensic data collection, device assessment, and upgrades or disconnection of end-of-support devices. Cisco has identified three zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363) in Cisco ASA and FTD software that are being actively exploited. Additionally, CVE-2025-20352 affects the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE, allowing authenticated remote code execution and denial of service. The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies 24 hours to apply the necessary mitigations. The directive applies to all Federal Civilian Executive Branch Departments and Agencies. The threat actor's tactics, techniques, and procedures (TTPs) enable easy exploitation and network access. CISA urges all organizations using these devices to follow the directive's actions.

Timeline

  1. 25.09.2025 22:22 1 articles · 9h ago

    Cisco discloses additional zero-day vulnerability CVE-2025-20363 in ASA and FTD software

    CVE-2025-20363 is a critical vulnerability in firewall and Cisco IOS software that can allow unauthenticated threat actors to execute arbitrary code remotely. The vulnerability is being actively exploited and is part of the ongoing campaign targeting Cisco devices.

    Show sources
    Open in new tab
  2. 25.09.2025 15:00 5 articles · 17h ago

    CISA issues Emergency Directive 25-03 for Cisco ASA zero-day vulnerabilities

    The directive mandates forensic data collection and assessment of affected devices by September 26, 2025. The threat actor's TTPs enable easy exploitation and network access. The vulnerabilities allow persistent access to victims' networks through reboots and system upgrades. The directive applies to all Federal Civilian Executive Branch Departments and Agencies. The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies 24 hours to apply the necessary mitigations. The threat actor has been linked to the ArcaneDoor campaign, which exploited other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) since November 2023. The attacks involved deploying previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware. Cisco observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades. The threat actor employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. The attacks targeted 5500-X Series devices with VPN web services enabled. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) developed exploits for the two zero-days since at least July 2023. The vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances. The Australian Signals Directorate, Australian Cyber Security Centre, Canadian Centre for Cyber Security, UK National Cyber Security Centre, and CISA assisted in investigating the zero-day attacks. The affected Cisco ASA 5500-X series firewall models include 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X. The attacks target devices running Cisco ASA Software releases 9.12 or 9.14 with VPN Web services enabled, which do not support Secure Boot and Trust Anchor technologies. The vulnerability CVE-2025-20352 affects at least 2 million devices, according to Trend Micro's Zero Day Initiative. CVE-2025-20352 allows authenticated, remote attackers to execute code as the root user and gain full control over a target system. CVE-2025-20352 can be exploited for a denial of service attack on affected Cisco devices with low-privilege credentials. The flaw CVE-2025-20352 also affects Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS version 17 or earlier.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Continuous Threat Exposure Management (CTEM) prioritization and validation

Continuous Threat Exposure Management (CTEM) is a cybersecurity approach that emphasizes prioritization and validation of threats. Unlike traditional vulnerability management, which struggles with the sheer volume of alerts and false positives, CTEM focuses on identifying and addressing the most critical exposures that pose real risks to an organization. This approach involves ranking vulnerabilities based on actual business impact and validating them against the specific environment to ensure that defenses are effective. CTEM is designed to address the limitations of traditional methods by incorporating adversarial exposure validation (AEV) technologies. These technologies, including Breach and Attack Simulation (BAS) and Automated Penetration Testing, help security teams understand which vulnerabilities are exploitable and how effective their current defenses are. By continuously validating exposures, organizations can shift from a reactive to a proactive security posture, focusing on what truly matters. The Picus BAS Summit 2025 will highlight the role of BAS and AI in shaping the future of security validation, providing insights from industry leaders and practitioners.

Open in new tab

Critical authentication bypass vulnerabilities in Wondershare RepairIt expose user data and AI models

Two critical authentication bypass vulnerabilities in Wondershare RepairIt, an AI-powered data repair and photo editing application, were disclosed. These flaws expose private user data and AI models, potentially allowing attackers to execute arbitrary code on customers' endpoints. The vulnerabilities, CVE-2025-10643 and CVE-2025-10644, have CVSS scores of 9.1 and 9.4, respectively. The issues stem from overly permissive cloud access tokens embedded in the application's code, which enable read and write access to sensitive cloud storage. The data is stored without encryption, and the exposed cloud storage contains AI models, software binaries, container images, scripts, and company source code. This exposure could facilitate supply chain attacks and AI model tampering. Trend Micro researchers disclosed the vulnerabilities in April 2025 but have not received a response from Wondershare. Users are advised to restrict interaction with the product until a fix is available.

Open in new tab

Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering

Two new vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass verification steps and update the system with malicious firmware. The flaws, CVE-2025-7937 and CVE-2025-6198, exploit weaknesses in the firmware verification logic to evade the Root of Trust (RoT) security feature. These vulnerabilities could enable attackers to gain persistent control over the BMC system and the main server OS, allowing high-level control of the server and reliable bypass of security checks. The issues were discovered by Binarly and affect multiple Supermicro products. The vulnerabilities stem from improper verification of cryptographic signatures, allowing attackers to redirect the firmware update process to fake tables and load malicious images. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both issues.

Open in new tab

Command Injection Vulnerability in Libraesva ESG Exploited by State Actors

Libraesva released an emergency patch for a command injection vulnerability in its Email Security Gateway (ESG) solution. The flaw, tracked as CVE-2025-59689, allows arbitrary command execution via a maliciously crafted email attachment. The vulnerability carries a CVSS score of 6.1, indicating medium severity. State-sponsored actors exploited the vulnerability in at least one confirmed incident. The bug affects all versions from 4.5 onwards. Libraesva ESG is used by thousands of businesses and over 200,000 users worldwide. The patch includes a sanitization fix, an automated scan for indicators of compromise, and a self-assessment module. The vendor emphasized the need for quick remediation due to the precision of the attacks.

Open in new tab

GeoServer RCE Vulnerability Exploited in Federal Agency Breach

Attackers breached a U.S. federal agency's network in July 2024 by exploiting an unpatched GeoServer instance. The vulnerability (CVE-2024-36401) allowed remote code execution, enabling lateral movement and data exfiltration. The breach remained undetected for three weeks until an Endpoint Detection and Response (EDR) tool flagged suspicious activity. The attackers used web shells, scripts for remote access, brute force techniques for lateral movement and privilege escalation, and exploited multiple vulnerabilities. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and robust incident response plans. CISA has urged organizations to expedite patching critical vulnerabilities and strengthen incident response plans.

Open in new tab