Cisco firewall infrastructure

On paper, this story should have been over in September.

Cisco shipped fixes. CISA published an Emergency Directive. Agencies reported compliance. Another pair of zero-days closed.

Instead, weeks later, CISA is back with a sharper message: federal networks are still at risk, attackers are still inside the kill chain, and some agencies never actually left it.

This isn’t just a patching reminder. It’s a live-fire exercise in how fragile our perimeter assumptions have become.

The Flaws That Turn Firewalls Into Entry Points

Two vulnerabilities sit at the center of CISA’s latest warning:

  • CVE-2025-20362 – An authentication bypass that allows remote access to restricted URL endpoints on Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.
  • CVE-2025-20333 – A remote code execution (RCE) flaw on the same platforms.

Alone, each is bad. Chained, they are the nightmare scenario: unauthenticated, remote, full device compromise on widely deployed perimeter firewalls.

Cisco patched both in September 2025, confirming they had been used as zero-days against 5500-X Series devices with VPN web services enabled. The company tied the exploitation to the ArcaneDoor campaign—the same cluster associated with earlier firewall-focused zero-days (CVE-2024-20353 and CVE-2024-20359) used to breach government networks since late 2023.

The pattern is now unmistakable: state-backed operators are systematically targeting network edge devices—firewalls, VPN concentrators, security appliances—not just as a pivot point, but as strategic, long-lived footholds.

CISA’s Emergency Directive: 24 Hours to Fix What You Thought You Fixed

The same day Cisco shipped fixes, CISA issued Emergency Directive 25-03, giving U.S. Federal Civilian Executive Branch (FCEB) agencies 24 hours to:

  1. Patch vulnerable Cisco ASA and Firepower devices to a secure, minimum version.
  2. Apply fixes to all devices, not just Internet-exposed ones.
  3. Harden configurations and validate remediation.

That should have been the end of it. But CISA’s latest bulletin reveals a more troubling reality:

“CISA is aware of multiple organizations that believed they had applied the necessary updates but had not in fact updated to the minimum software version.”

In other words, agencies:

  • Updated to incorrect or still-vulnerable releases, then marked devices as patched.
  • Potentially left management or internal-only appliances unpatched, assuming lower risk.
  • Underestimated an adversary explicitly shown to go after edge infrastructure.

CISA now confirms active exploitation of these vulnerable versions within FCEB environments.

30,000+ Devices Still in the Blast Radius

Internet telemetry from Shadowserver has tracked:

  • >45,000 exposed Cisco devices vulnerable to these flaws in early October.
  • Still >30,000 vulnerable devices as of this week.

While that number is trending downward, the residual exposure is substantial—and that’s just what’s visible on the public Internet. Misconfigured or unpatched internal devices can be equally valuable to attackers once they’ve gained any initial access.

For defenders, the technical takeaway is blunt: reachability is not the only risk dimension. A compromised internal firewall or VPN node is a trust anchor turned traitor.

Why Smart Teams Get This Wrong

The failures CISA is calling out are not beginner mistakes; they’re systemic ones that experienced teams repeatedly make under pressure:

  1. Version misalignment: Teams patch to "a newer" version, not the minimum secure version specified in the directive or advisory.
  2. Inconsistent inventory: CMDBs, device exports, and reality drift apart. Some nodes never get touched.
  3. Perimeter bias: Only Internet-facing devices are prioritized, despite CISA’s explicit language to patch all ASA/Firepower instances.
  4. No cryptographic verification: Firmware and image integrity checks are skipped; compromise of the update channel would go unnoticed.
  5. No post-patch validation: No automated control to confirm: "This device now runs a non-vulnerable build and exposes no legacy endpoints."

This is how an org can confidently report "patched" while an adversary quietly confirms "still exploitable."

What Practitioners Should Do Now (Beyond "Apply the Patch")

If you operate Cisco ASA/FTD—whether in government, finance, SaaS, or telecom—treat this as a blueprint, not a federal-only warning.

1. Verify Exact Versions, Don’t Assume

Pull authoritative data programmatically:

# Example: collect versions via SSH (pseudo-script)
for host in $(cat asa_hosts.txt); do
  ssh -o BatchMode=yes $host 'show version | include Version' \
    | awk -v h=$host '{print h "," $3}'
done > asa_versions.csv

Map each device against Cisco’s advisory matrix. Anything below the fixed build is a priority-1 incident, not a backlog ticket.

2. Audit for ArcaneDoor-Style Tradecraft

Given the ArcaneDoor association, look specifically for:

  • Unrecognized configuration changes on ASA/FTD.
  • Unknown or stale admin accounts.
  • Unexpected VPN profiles, NAT rules, or ACLs.
  • Outbound connections from firewall management interfaces to unfamiliar hosts.

If a device was exposed and running a vulnerable version, assume compromise until disproven. That means forensic imaging and rebuild, not blind trust in an in-place upgrade.

3. Treat Internal Firewalls as Tier-0 Assets

CISA’s directive to patch all ASA/Firepower devices is a quiet but critical signal: internal segmentation gateways are now Tier-0 infrastructure. Recommendations:

  • Enforce strict admin access: MFA, Just-In-Time (JIT), and hardware-backed credentials.
  • Centralize configuration and upgrade orchestration to avoid "islands" of outdated firmware.
  • Continuously monitor for config drift and anomalous control plane behavior.

4. Build Verification Into Change Management

Integrate explicit checks into your pipelines:

  • Failing a change if the post-upgrade version is not in the "known-good" list.
  • Logging and alerting if a device reports an unapproved or unexpected build.
  • Using configuration compliance tools (e.g., Terraform + policy-as-code, or NAPALM/Ansible audits) to ensure consistency.

In mature environments, "we thought it was patched" should be an impossible state.

The Strategic Shift: Firewalls as a Prime Intelligence Target

The Cisco ASA/Firepower incidents, ArcaneDoor, and the parallel targeting of other vendors’ firewalls and mobile endpoints (including the LandFall spyware campaign CISA flagged this week) all point to the same strategic reality:

  • Perimeter devices are no longer passive guards. They are high-value intelligence platforms with decryption visibility, VPN credentials, and network topology insight.
  • Exploiting them early yields durable, stealthy access. A compromised firewall is both backdoor and blindfold.
  • Nation-state actors have fully industrialized this playbook. The edge is not a side quest; it is the mission.

For technical leaders, this changes the threat model:

  • You can’t treat firewall patching as a quarterly event.
  • You can’t treat device inventory as "good enough" if it’s wrong by 5–10%.
  • You can’t assume "inside" devices are low priority.

The organizations that adapt will operationalize this into continuous verification: of versions, configs, identities, and telemetry. The ones that don’t will read about themselves in the next incident roundup.

When Compliance Collides With Reality

CISA’s discovery that "patched" agencies were running vulnerable builds is more than an administrative embarrassment. It exposes a dangerous gap between reported compliance and actual security posture.

That gap is where adversaries live longest.

For security teams and infrastructure engineers, the message is unforgiving but useful: don’t optimize for passing the spreadsheet test. Optimize for the moment an operator with a zero-day exploit kit points it at your edge device—and finds nothing left to break.

Source: BleepingComputer – CISA warns feds to fully patch actively exploited Cisco flaws