Federal civilian agencies will have to take a range of actions by Friday evening to address flaws affecting Cisco firewall products that are being exploited by “an advanced threat actor.”

The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive ordering all federal civilian agencies to patch CVE-2025-30333 and CVE-2025-20362 — two vulnerabilities impacting Cisco Adaptive Security Appliances (ASA).

CISA Acting Director Madhu Gottumukkala said federal agencies must take “immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network.”

"The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this Emergency Directive,” he added. 

CVE-2025-20333 carries a severity score of 9.9 out of 10 and CVE-2025-20362 has a score of 6.5. Hackers have been seen chaining the two bugs together during attacks, according to CISA. 

ASA is a popular product line among governments and large businesses because it consolidates several different security tasks into a single appliance. In addition to being firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more. 

Cisco released patches for the bugs on Thursday, and federal civilian agencies have to take a range of actions that include checking if firewall devices have been compromised. 

“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service,” CISA said.

Canadian officials also said the campaign has involved the “deployment of highly sophisticated malware” and has been aimed at large organizations.  

Alongside advisories on both vulnerabilities, Cisco published a lengthy study on the attacks exploiting the bug, assessing with high confidence that the campaign is tied to the same hackers behind the ArcaneDoor campaign discovered last year. 

According to CISA, the hackers are sophisticated and have found ways to gain access to ASAs before manipulating devices so that their access persists through reboots and system upgrades. 

Cisco previously said the ArcaneDoor attacks uncovered last year were part of a campaign by state-sponsored threat actors.

At the time, Cisco declined to say what country was behind the incident but Wired, which first reported on the campaign, said sources told them it “appears to be aligned with China's state interests.”

Cisco and CISA did not respond to requests for comment about who is behind exploitation of CVE-2025-30333 and CVE-2025-20362 or what kind of organizations are being attacked. 

5500-X Series devices

Cisco said in its report on the campaign that it worked with multiple government agencies in May 2025 to investigate attacks targeting the ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services.

The tech giant said it dedicated a specialized team to work on the investigation and eventually discovered a memory corruption bug in the product software.

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging … and intentionally crashing devices to prevent diagnostic analysis,” Cisco explained. 

Cisco noted that it has only seen the hackers maintain their access after reboots and software upgrades on ASA 5500-X Series platforms. 

The company said several of the specific brands impacted include 5585-X — which stopped receiving support on May 31, 2023, as well as 5512-X and 5515-X, which stopped receiving support on August 31, 2022. 

Support for 5525-X, 5545-X, and 5555-X ends on September 30 this year. 

Cisco provided troves of advice for customers to follow if they own these devices. If compromises are found or suspected, Cisco said “all configuration elements of the device should be considered untrusted.” 

“Cisco recommends that all configurations – especially local passwords, certificates, and keys – be replaced after the upgrade to a fixed release,” the company said. 

“This is best achieved by resetting the device to factory defaults after the upgrade to a fixed release using the configure factory-default command in global configuration mode and then reconfiguring the device with new passwords, certificates, and keys from scratch.”

Cisco noted that it worked with CISA and the cybersecurity bureaus of Canada, Australia and the U.K. on the investigation into the bugs. 

"This is a critical moment for Canadian organizations,” said Rajiv Gupta, head of the Canadian Centre for Cyber Security. “Threat actors are targeting legacy systems with increasing sophistication. I urge all critical infrastructure sectors to act swiftly.”