Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

U.S. Cybersecurity and Infrastructure Security Agency (CISA) Issued an emergency directive requiring identification upgrade and disconnection actions for 24 hours for

Public Sector Action
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

CISA issued an emergency directive ordering FCEB agencies to find compromised Cisco ASA and FTD instances within 24 hours, tightening federal exposure to the actively exploited flaws. The directive requires agencies to upgrade systems that remain in service and to disconnect end-of-support ASA devices from federal networks by the end of the month. It follows the public exploitation of CVE-2025-20333 and CVE-2025-20362, which can be abused remotely without authentication. With tens of thousands of appliances still exposed, the mandate materially narrows the window for federal compromise.

Related Happenings

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

How related: The flaws, tracked as CVE-2025-20333 and CVE-2025-20362, enable arbitrary code execution and access to restricted URL endpoints associated with VPN access.

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Open Happening

FIRESTARTER malware on Cisco ASA and FTD devices

Malware Activity
First: 23.04.2026 15:00 Last: 23.04.2026 15:00 Sources 1

About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...

Latest development: 24.04.2026 23:34

CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.

Open Happening

CISA KEV directive for CVE-2026-20133

Public Sector Action
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...

Open Happening

Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)

Vulnerability
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...

Open Happening

CISA KEV listing and FCEB patch order for Ivanti EPMM

Public Sector Action
First: 08.04.2026 21:15 Last: 08.04.2026 21:15 Sources 1

About this happening: **CISA** added **CVE-2026-1340** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Ivanti Endpoint Manager Mobile (EPMM)** by **Saturday midnight, April 11**, forcin...

Open Happening

Timeline

  1. 30.09.2025 19:58 2 articles · 7mo ago

    CISA orders emergency remediation for Cisco ASA and FTD

    Legal Policy Action Update

    On September 30, 2025, CISA issued an emergency directive for Federal Civilian Executive Branch agencies after active exploitation of CVE-2025-20333 and CVE-2025-20362 on Cisco ASA and Firewall Threat Defense appliances, requiring agencies to identify compromised instances within 24 hours, upgrade systems that remain in service, and disconnect end-of-support ASA devices from federal networks by the end of the month; Shadowserver reported more than 48,800 internet-exposed ASA and FTD instances still vulnerable, and the U.K. NCSC said the attackers deployed Line Viper followed by RayInitiator.

    Show sources
    Open in new tab
  2. 04.09.2025 03:00 1 articles · 8mo ago

    Greynoise warns on suspicious Cisco ASA scans

    Detection Ioc Update

    Greynoise warned about suspicious scans targeting Cisco ASA devices, with the activity seen as early as late August and treated as a possible indicator of upcoming undocumented flaws in the targeted products.

    Show sources
    Open in new tab