.png)
2 hours ago
2
The Cybersecurity and Infrastructure Security Agency (CISA) on Nov. 12 issued additional guidance on an emergency directive (ED) it issued on Sept. 25 for federal agencies to mitigate two actively exploited bugs in Cisco ASA firewalls.
The two security flaws — CVE-2025-20362, a 6.5 privilege escalation bug, and CVE-2025-20333, a 9.9 remote execution flaw — were actively exploited well before CISA issued the directive in September.
Following the Sept. 25 directive, SC Media reported Nov. 4 that researchers from Unit 42 found that the China-linked threat group Storm-1849 — also known as ArcaneDoor — was observed targeting vulnerable Cisco ASA firewalls throughout most of the month of October.
Even with all the warnings from government and industry researchers, CISA said many organizations had actually not updated to the minimum requirements while believing they applied the necessary patches.
Heath Renfrow, co-founder and chief information security officer at Fenix24, said the continued exploitation of Cisco ASA appliances underscores a simple truth the security industry is learning the hard way: edge devices are now primary targets, not secondary infrastructure. Renfrow said these appliances sit at the intersection of trust, connectivity, and control — making them incredibly valuable to nation-state actors who want persistent access and reconnaissance opportunities inside high-value networks.
“Organizations need to immediately verify whether their ASA appliances are running supported software, confirm patches have been applied and validate config integrity,” said Renfrow. “Patching alone isn’t enough — assume compromise and perform full credential hygiene and log review. Edge devices are too often treated as ‘set and forget’ today they must be monitored with the same rigor as endpoints and identity systems.”
James Maude, Field CTO at BeyondTrust, added that organizations that have not patched the ASA firewalls or suspect they may have been targeted, should review their Cisco configurations in-depth and ideally reset to factory defaults, resetting passwords, keys, and certificates before reconfiguring.
“This is in line with Cisco’s earlier advice, which highlighted a number of sophisticated evasion techniques used by the threat actors to disable logging and evade detection,” said Maude. “Given the role of these devices in not only providing firewall capabilities, but also a level of spam filtering and anti-virus protection, the danger of compromise is substantial."
Damon Small, a board member at Xcape, Inc., said teams should treat these vulnerabilities as a high-priority breach: immediately patch to the latest releases, disable WebVPN if unused, gather memory and packet captures for indicators of compromise, rotate credentials and tokens, and confirm the absence of malware or unauthorized configurations.
Small added that teams should also scrutinize logs carefully as malicious actors hide in crash dumps and custom web modules. And, conduct targeted threat hunts before closing any incident reports.
WatchGuard flaw added to KEV
CISA also added CVE-2025-9242 to the KEV yesterday, a critical 9.3 out-of-bounds write WatchGuar flaw, which Small said reflects a similar risk: edge appliances with exposed management interfaces or outdated firmware are vulnerable.
“Update firmware, disable internet-facing admin access, enforce multi-factor authentication and admin access control lists, and verify the system isn't infected with legacy malware from previous attacks,” said Small. “Finally, teams should integrate KEV due dates into service-level agreements and require vendors and managed service providers to confirm patch compliance.”
