- CISA Warns Agencies Failed to Properly Patch Two Actively Exploited Cisco Firewall Vulnerabilities
- CVE-2025-20333 and CVE-2025-20362 were related to the ArcaneDoor campaign targeting government networks
- More than 32,000 devices remain vulnerable despite emergency directives and patching efforts.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning federal Civilian Executive Branch (FCEB) agencies that some of them have failed to properly patch two significant Cisco vulnerabilities actively exploited in the wild.
As a result, these agencies continue to be at risk of malware attacks, information thieves, and perhaps even ransomware.
The two flaws in question are tracked as CVE-2025-20333 and CVE.2025-20362, discovered in the Web VPN server of Cisco Secure Firewall Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software in September 2025.
Errors in patches
At the time, Cisco said both were being leveraged as Zero Days to target 5500-X series devices with web services enabled.
The company stressed that the attacks were linked to the ArcaneDoor campaign, which has been active for years, targeting government networks.
The same day, CISA issued an emergency directive, giving federal agencies just 24 hours to patch or stop using the vulnerable software. Usually, when CISA adds a bug to its catalog of known exploited vulnerabilities (KEV), it gives a three-week deadline for patching.
However, it appears that some agencies did not properly update their systems and therefore remained vulnerable.
“CISA is aware of several organizations that believed they had applied the necessary updates but had not in fact updated to the minimum version of the software,” the agency said in an updated advisory, published November 12, 2025.
“CISA recommends that all organizations verify that the correct updates are applied. For agencies with ASA or Firepower devices that have not yet been updated with the necessary software versions or for devices that were updated after September 26, 2025, CISA recommends additional actions to mitigate ongoing and new threat activities. CISA urges all agencies with ASA and Firepower devices to follow this guidance.”
The Shadowserver Foundation is currently tracking around 32,000 vulnerable devices, up from almost 40,000 a month ago. Progress, but slow.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
