Government

CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks

Federal agencies have reported as ‘patched’ ASA or FTD devices running software versions vulnerable to attacks.

CISA

The US cybersecurity agency CISA has issued a fresh warning on addressing two Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) vulnerabilities exploited in the China-linked ArcaneDoor espionage campaign.

The two bugs, tracked as CVE-2025-20333 and CVE-2025-20362, were discovered in May, after being exploited as zero-days in attacks against government organizations.

As part of the attacks, the threat actor exploited the flaws to deploy malware, execute commands on vulnerable appliances, and likely exfiltrate data.

Impacting the VPN web server of ASA and FTD software, the issues allow attackers to send crafted requests and execute arbitrary code with root privileges, or access a restricted URL without authentication.

Cisco patched the two security defects on September 25, and warned on November 6 that a new variant of the attack causes devices to reload, leading to denial-of-service (DoS).

On September 25, CISA issued Emergency Directive 25-03 (ED 25-03), urging federal agencies to identify within their environments Cisco devices running vulnerable ASA and FTD software versions and immediately apply the patches.

Advertisement. Scroll to continue reading.

“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service,” ED 25-03 mandates.

Federal agencies were also required to report to CISA by October 2 a complete inventory of the identified devices, as well as on the actions taken. Some agencies, however, failed to properly patch their appliances, the agency now says.

“CISA identified, through analysis of agency reported data, instances of agencies marking devices as ‘patched’, but which agencies updated to a version of the software that is still vulnerable to the threat activity outlined in the ED,” a November 12 ED 25-03 update reads.

Because some federal agencies could not find the latest software iterations for the affected Cisco devices, CISA has published a list of minimum versions that contain fixes for both CVE-2025-20333 and CVE-2025-20362, as well as fresh guidance on addressing the bugs.

“For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow [the] guidance,” CISA notes.

Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon

Related: Cisco Patches Critical Vulnerabilities in Contact Center Appliance

Related: China’s Cyber Silence Is More Worrying Than Russia’s Noise, Chief Cybersecurity Strategist Says

Related: Cisco Routers Hacked for Rootkit Deployment

Related Content

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Cybercrime

Threat actors are selling investment scam templates created using the legitimate DCloud Uni-App toolkit.

ICS/OT

CISA has added the remote code execution flaw CVE-2026-12569 to its Known Exploited Vulnerabilities catalog.

ICS/OT

The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK research project.

Vulnerabilities

CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.

Vulnerabilities

The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version