- CISA warns that agencies failed to adequately patch two actively exploited Cisco firewall vulnerabilities
- CVE-2025-20333 and CVE-2025-20362 were linked to the ArcaneDoor campaign targeting government networks.
- More than 32,000 devices remain vulnerable despite emergency directives and patching efforts
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning Federal Civil Executive Branch (FCEB) agencies that some of them have failed to adequately patch two major Cisco vulnerabilities that are actively exploited in the wild.
As a result, these agencies remain at risk of malware attacks, data theft, and possibly even ransomware.
The two flaws in question are tracked as CVE-2025-20333 and CVE.2025-20362, discovered in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software in September 2025.
Errors when patching
At the time, Cisco said both were exploited as zero-days to target 5500-X series devices with web services enabled.
The company emphasized that the attacks were related to the ArcaneDoor campaign that has been active for years, going after government networks.
The same day, CISA issued an emergency directive, giving federal agencies just 24 hours to patch or stop using the vulnerable software. Typically, when CISA adds a bug to its catalog of known exploited vulnerabilities (KEV), it gives a three-week deadline to patch it.
However, it appears that some agencies did not properly patch their systems and therefore remained vulnerable.
“CISA is aware of several organizations that believed they had applied the necessary updates but had not actually updated to the minimum software version,” the agency said in an updated notice, published on Nov. 12, 2025.
“CISA recommends that all organizations verify that the correct updates are applied. For agencies with ASA or Firepower devices that are not yet updated to the required software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate new and ongoing threat activity. CISA encourages all agencies with ASA and Firepower devices to follow this guidance.”
The Shadowserver Foundation is currently tracking around 32,000 vulnerable devices, up from almost 40,000 a month ago. Progress, but slow.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
