CISA issued ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices on Thursday after Cisco reported new activity the company believes to be from the ArcaneDoor threat actor. It targets certain Cisco Adaptive Security Appliances and Firepower Threat Defense Appliances, exploiting zero-day vulnerabilities.
Known as common vulnerabilities and exposures, CISA lists two: CVE-2025-20333 and CVE-2025-20362. The directive says these must be addressed by 11:59 p.m. Friday.
All federal agencies using these systems, including on-premises, contracted or cloud, must follow the CISA directive, it says. Agencies must submit forensic core dump files from affected public-facing devices, disconnect unsupported devices and apply software updates to those remaining in service. Agencies are responsible for keeping an inventory of these systems and ensuring they comply with the directive. For those hosted by FedRAMP-authorized providers, agencies should coordinate with the FedRAMP office; for others, they must work directly with the provider.
“These actions are directed to address the immediate risk, assess compromise and inform analysis of the ongoing threat actor campaign,” the directive states.
According to Cisco’s detailed event response, the company “assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024. While the vulnerable software is supported across other hardware platforms with different underlying architectures as well as in devices that are running Cisco Secure [FTD] Software, Cisco has no evidence that these platforms have been successfully compromised.”
The directive also sets a second deadline. By Thursday, federal agencies must file a complete inventory of affected devices with CISA, along with mitigation steps taken and the results of forensic analysis. The reporting requirement extends across environments where Cisco ASA or Firepower appliances are in use.
Non-federal agencies may also follow the CISA instructions and send technical information, although it is optional.
Finally, Cisco has also added a third vulnerability, CVE-2025-20363, to its advisories and recommends all customers apply the fixes.
