CISA Directs Federal Agencies to Identify and Mitigate Potential Compromise of Cisco Devices

Today, CISA issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog.

The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately. Agencies must:

Identify all instances of Cisco ASA and Cisco Firepower devices in operation (all versions).
Collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST Sept. 26.

For detailed guidance, including additional actions tailored to each agency’s status, refer to the full Emergency Directive ED 25-03.

The following associated resources are available to assist agencies.

Supplemental Direction ED 25-03: Core Dump and Hunt Instructions
Eviction Strategies Tool with a Cisco ASA Compromise template to assemble a comprehensive eviction plan with distinct countermeasures for containment and eviction which can be tailored to individual network owners’ specific needs.
Known Exploited Vulnerabilities Catalog
Cisco Security Advisories:
United Kingdom National Cyber Security Centre (NCSC):
- NCSC warns of persistent malware campaign targeting Cisco devices
- Malware Analysis Report: RayInitiator & LINE VIPER

Although ED 25-03 and the associated supplemental guidance are directed to federal agencies, CISA urges all public and private sector organizations to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Directs Federal Agencies to Identify and Mitigate Potential Compromise of Cisco Devices

Please share your thoughts