- CISA warns agencies failed to properly patch two actively exploited Cisco firewall vulnerabilities
- CVE-2025-20333 and CVE-2025-20362 were linked to the ArcaneDoor campaign targeting government networks
- Over 32,000 devices remain vulnerable despite emergency directives and patching efforts
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning Federal Civilian Executive Branch agencies (FCEB) that some of them failed to properly patch two important Cisco vulnerabilities being actively exploited in the wild.
As a result, these agencies continue to be at risk of malware, infostealer, and possibly even ransomware attacks.
The two flaws in question are tracked as CVE-2025-20333, and CVE.2025-20362, discovered in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) software in September 2025.
Mistakes in patching
At the time, Cisco said that both were exploited as zero-days to target 5500-X Series devices with web services enabled.
The company stressed the attacks were linked to the ArcaneDoor campaign that’s been active for years, going after government networks.
The same day, CISA issued an emergency directive, giving federal agencies just 24 hours to patch up or stop using the vulnerable software. Usually, when CISA adds a bug to its Known Exploited Vulnerabilities (KEV) catalog, it gives a three-week deadline for patching.
However, it seems that some agencies did not properly patch their systems up and thus remained vulnerable.
“CISA is aware of multiple organizations that believed they had applied the necessary updates but had not in fact updated to the minimum software version,” the agency said in an updated advisory, published on November 12, 2025.
“CISA recommends all organizations verify the correct updates are applied. For agencies with ASA or Firepower devices not yet updated to the necessary software versions or devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate against ongoing and new threat activity. CISA urges all agencies with ASAs and Firepower devices to follow this guidance.”
The Shadowserver Foundation currently tracks around 32,000 vulnerable devices, down from almost 40,000 a month ago. Progress, but slow.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
