Your network's security is at stake, and the clock is ticking. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to U.S. federal agencies: two actively exploited vulnerabilities in Cisco's Adaptive Security Appliances (ASA) and Firepower devices are putting their systems at risk. But here's where it gets even more alarming—despite the urgency, some agencies have failed to properly patch these flaws, leaving their networks exposed to ongoing attacks.
These vulnerabilities, identified as CVE-2025-20362 and CVE-2025-20333, are no small matter. The first allows remote attackers to access restricted URL endpoints without authentication, while the second enables them to execute code on vulnerable Cisco firewall devices. When combined, these flaws can grant unauthenticated attackers complete control over unpatched devices—a nightmare scenario for any organization. And this is the part most people miss: these vulnerabilities have been linked to the ArcaneDoor campaign, which has been exploiting similar flaws to breach government networks since November 2023.
Cisco itself warned customers in September that these vulnerabilities were being exploited as zero-days in attacks targeting 5500-X Series devices with VPN web services enabled. The company also highlighted the ArcaneDoor campaign's use of two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to infiltrate government networks. The situation is so dire that CISA issued Emergency Directive 25-03, mandating federal agencies to secure their Cisco firewall devices within 24 hours against the active exploitation of these flaws.
Internet monitoring platform Shadowserver is tracking over 30,000 Cisco devices still vulnerable to these attacks, down from more than 45,000 when they first began monitoring in early October. But the fact remains: many devices are still at risk. CISA has noted that some organizations mistakenly believe they’ve applied the necessary updates but have not, in fact, updated to the minimum software version required to mitigate these threats. This oversight leaves their networks dangerously exposed.
To address this, CISA has released new guidance to help federal agencies secure their networks against attacks chaining these vulnerabilities. The agency emphasizes that Emergency Directive 25-03 requires immediate patching of all ASA and Firepower devices, not just those exposed to the internet, to block incoming attacks and reduce breach risks. This week, CISA also ordered agencies to patch Samsung devices against a critical vulnerability used in zero-day attacks deploying LandFall spyware and to secure WatchGuard Firebox firewalls against an actively exploited remote code execution flaw.
But here’s the controversial part: Why are so many organizations still struggling to patch known vulnerabilities? Is it a lack of resources, oversight, or simply the complexity of managing large-scale networks? And what does this say about the broader state of cybersecurity in government agencies? We’d love to hear your thoughts in the comments.
As we head into budget season, the 2026 CISO Budget Benchmark report offers valuable insights. Over 300 CISOs and security leaders have shared their strategies for planning, spending, and prioritizing in the year ahead. This report compiles their expertise, allowing readers to benchmark their own strategies, identify emerging trends, and compare priorities as they navigate the challenges of 2026. Learn how top leaders are turning investment into measurable impact and securing their organizations against evolving threats.
