- CISA warns that agencies did not properly patch two actively exploited Cisco firewall vulnerabilities
- CVE-2025-20333 and CVE-2025-20362 were linked to the ArcaneDoor campaign targeting public networks
- Over 32,000 devices remain vulnerable despite emergency directives and patching efforts
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning Federal Civilian Executive Branch (FCEB) agencies that some of them failed to properly patch two key Cisco vulnerabilities that are being actively exploited in the wild.
As a result, these agencies remain at risk of malware, info stealers and possibly even ransomware attacks.
The two vulnerabilities in question are tracked as CVE-2025-20333 and CVE.2025-20362, discovered in the VPN web server for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) software in September 2025.
Error in patching
At the time, Cisco said both were exploited as zero-days to target 5500-X Series devices with Web Services enabled.
The company emphasized that the attacks were linked to the ArcaneDoor campaign that has been active for years, targeting government networks.
That same day, CISA issued an emergency directive giving federal agencies just 24 hours to fix or stop using the vulnerable software. Normally, when CISA adds a bug to its KEV (Known Exploited Vulnerabilities) catalog, it gives a three-week deadline for patching.
However, it appears that some agencies did not patch their systems properly and therefore remained vulnerable.
“CISA is aware of several organizations that believed they had applied the required updates but had not actually updated to the minimum software version,” the agency said in an updated notice published on November 12, 2025.
“CISA recommends that all organizations confirm that the correct updates are applied. For agencies with ASA or Firepower devices that have not yet been updated to the required software versions or devices that have been updated after September 26, 2025, CISA recommends additional actions to mitigate ongoing and emerging threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance.”
The Shadowserver Foundation is currently tracking around 32,000 vulnerable devices, down from nearly 40,000 a month ago. Progress, but slowly.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
