CISA ED 25‑03 Cisco ASA: Emergency Zero‑Day Mitigation, Detection, and ROMMON Persistence Guidance

As of September 26, 2025, CISA’s ED 25‑03 mandates immediate action to identify and mitigate potential compromise of Cisco ASA and Firepower devices amid an active campaign chaining CVE‑2025‑20362 (missing authorization) with CVE‑2025‑20333 (RCE). Cisco also disclosed CVE‑2025‑20363 (web services RCE) across ASA/FTD and IOS families. Patching is available. CISA set aggressive deadlines: core dump submissions and urgent upgrades by September 26, 2025, and full inventories by October 2, 2025. [1][8] (cisa.gov)

Overview

CISA reported a widespread exploitation campaign against Cisco ASA appliances that uses zero‑days to achieve unauthenticated RCE and manipulate read‑only memory (ROMMON) for persistence across reboots and upgrades—tactics consistent with prior ArcaneDoor activity. The directive names CVE‑2025‑20333 (RCE) and CVE‑2025‑20362 (authorization bypass) as posing an “unacceptable risk” and mandates that federal agencies follow a strict hunt, reporting, and patch path. [1] (cisa.gov)

Cisco’s investigation (initiated with multiple government IR partners in May 2025) identified attackers exploiting ASA Clientless SSL VPN (WebVPN) paths; advanced evasion included disabling logging, intercepting CLI commands, and deliberately crashing devices to thwart diagnostics. Cisco observed ROMMON modification on legacy ASA 5500‑X hardware lacking Secure Boot/Trust Anchor, assessed this activity as linked to ArcaneDoor, and released fixes for 20333/20362 along with a broader web‑services RCE (20363). [3][8] (sec.cloudapps.cisco.com)

CISA’s supplemental directive provides investigative guardrails: verify heap-check cadence, avoid tab‑autocomplete (hooked to crash), collect core dumps in a precise order, and upload artifacts through Malware Next Gen. The directive also explains the path‑normalization and heap overflow behaviors that defenders should hunt for in WebVPN telemetry. [2] (cisa.gov)

Independent reporting underscores urgency and federal timelines, with coverage noting links to ArcaneDoor tradecraft and an emphasis on perimeter-edge device exposure. [9] (reuters.com)

Impact

  • Remote code execution on ASA/FTD can yield full device compromise (root on the appliance), enabling traffic interception, lateral movement, credential theft, and policy manipulation at the network edge. [6][8] (nvd.nist.gov)
  • On older ASA 5500‑X platforms, ROMMON manipulation provides boot‑level persistence that survives reboots and software upgrades, complicating eviction and extending attacker dwell time. [3] (sec.cloudapps.cisco.com)
  • CISA classifies the risk as “significant,” requiring immediate action across FCEB agencies with hard deadlines for triage, core dump submissions, upgrades, and decommissioning of end‑of‑support hardware. [1] (cisa.gov)

Affected Products & Versions

  • Confirmed targeted platforms in this campaign
    • Cisco ASA 5500‑X models without Secure Boot/Trust Anchor—specifically 5512‑X, 5515‑X, 5525‑X, 5545‑X, 5555‑X, and 5585‑X—running ASA 9.12 or 9.14 with WebVPN enabled; ROMMON modifications observed. Note the last support dates (e.g., 5525‑X/5545‑X/5555‑X EoS September 30, 2025). [3] (sec.cloudapps.cisco.com)
  • Vulnerabilities addressed September 25, 2025
    • CVE‑2025‑20333 (ASA/FTD VPN Web Server RCE), Critical 9.9. [6] (nvd.nist.gov)
    • CVE‑2025‑20362 (ASA/FTD VPN Web Server Missing Authorization), Medium 6.5. [4] (sec.cloudapps.cisco.com)
    • CVE‑2025‑20363 (Web Services RCE across ASA/FTD/IOS families), Critical 9.0; no current evidence of in‑the‑wild exploitation. [8] (sec.cloudapps.cisco.com)
  • Fixed software availability
    • Cisco has provided first‑fixed releases per branch for ASA and FTD in the September 25 advisories; Cisco strongly recommends upgrading to the fixed releases listed and referenced in “Continued Attacks Against Cisco Firewalls.” [3] (sec.cloudapps.cisco.com)

Exposure & Exploitability

  • Primary vector: ASA Clientless SSL VPN (WebVPN) on internet‑exposed devices; path normalization flaw enables access to restricted endpoints (20362), which can be chained to trigger RCE via WebVPN file‑upload handling (20333). [2][4][6] (cisa.gov)
  • Broader risk: Cisco published a separate multi‑product web‑services RCE (20363). Even absent observed exploitation, exposure is high where HTTP(S) management/VPN services are public‑facing. [8] (sec.cloudapps.cisco.com)
  • Persistence: On certain legacy ASA 5500‑X, adversaries modified ROMMON for reboot‑resilient persistence; Cisco says Secure Boot/Trust Anchor platforms have shown no such persistence in this campaign. [3] (sec.cloudapps.cisco.com)

Detection & Telemetry

SOC teams should combine endpoint‑adjacent logs, ASA/FTD telemetry, and network sensors:

  • Immediate hunt actions (per CISA ED 25‑03 supplemental)
    • Run “show checkheaps” twice ≥5 minutes apart; a non‑increasing “Total number of runs” is suspicious. Avoid tab‑autocomplete and unprescribed remediation to prevent anti‑forensics triggers. [2] (cisa.gov)
    • Execute “more /binary system:/text | grep 55534154 41554156 41575756 488bb3a0”; any output indicates compromise. Collect and upload core dumps precisely as directed. [2] (cisa.gov)
  • Platform‑specific indicators and behaviors (from Cisco analysis)
    • Suppressed or missing ASA syslogs; intercepted CLI commands; intentional device crashes during analysis; presence of disk0:/firmware_update.log after upgrading fixed images (indicates ROMMON persistence was detected and removed). [3] (sec.cloudapps.cisco.com)
  • MITRE ATT&CK mappings
    • Initial Access: Exploit Public‑Facing Application (T1190); Valid Accounts (T1078) if credentials are abused post‑bypass. Defense Evasion/Persistence: Modify System Image (T1601.001) and Pre‑OS Boot—ROMMON/Bootkit (T1542.003/T1542.004). [3][10][11] (sec.cloudapps.cisco.com)
  • Network analytics wishlist
    • Abnormal WebVPN POSTs/GETs to clientless SSL endpoints; spikes in HTTP 500/404 near WebVPN paths; large or atypical uploads; anomalous geovelocity on VPN user sessions; sudden logging gaps; unexpected ROMMON version changes during uptime windows. [2][3] (cisa.gov)

Mitigations & Patching/Workarounds

  • Follow ED 25‑03 required actions immediately:
    • Inventory all ASA/FTD instances, collect core dumps on public‑facing ASA hardware, submit to CISA by the stated deadlines; disconnect compromised devices without powering off; decommission end‑of‑support ASA hardware by September 30, 2025; upgrade remaining ASA/FTD and apply subsequent updates within 48 hours of release. [1] (cisa.gov)
  • Vendor patching
    • Upgrade to fixed ASA/FTD releases addressing CVE‑2025‑20333 and CVE‑2025‑20362 and apply the broader CVE‑2025‑20363 fix. If WebVPN is not required, disable it (“no webvpn”) pending upgrades. After remediation, replace local passwords, certs, and keys; when feasible, factory‑reset and rebuild configurations. [3][4][8] (sec.cloudapps.cisco.com)
  • Configuration hardening
    • Restrict management/VPN exposure to trusted networks; enforce MFA and per‑user logs for VPN; ensure Secure Boot/Trust Anchor‑capable hardware for long‑term resilience. [3] (sec.cloudapps.cisco.com)

Timeline

  • April 24, 2024: Cisco discloses ArcaneDoor campaign targeting ASA/FTD; related CVEs from 2024 addressed. [12] (attack.mitre.org)
  • May 2025: Cisco engages with government IR partners on new ASA attacks; investigation begins. [3] (sec.cloudapps.cisco.com)
  • September 25, 2025:
    • Cisco publishes advisories for CVE‑2025‑20333 (RCE), CVE‑2025‑20362 (auth bypass), and CVE‑2025‑20363 (web‑services RCE). [4][8][6] (sec.cloudapps.cisco.com)
    • CISA issues ED 25‑03 and supplemental Core Dump & Hunt instructions. [1][2] (cisa.gov)
  • September 26, 2025: ED 25‑03 first deadline—core dumps and urgent upgrades due by 11:59 PM EDT; reporting/inventory due by October 2, 2025. [1] (cisa.gov)

References

  1. CISA Emergency Directive ED 25‑03: Identify and Mitigate Potential Compromise of Cisco Devices (September 25, 2025) (cisa.gov)
  2. CISA Supplemental Direction ED 25‑03: Core Dump and Hunt Instructions (September 25, 2025) (cisa.gov)
  3. Cisco Event Response: Continued Attacks Against Cisco Firewalls (Version 1, September 25, 2025) (sec.cloudapps.cisco.com)
  4. Cisco Advisory: ASA/FTD VPN Web Server Unauthorized Access (CVE‑2025‑20362) (September 25, 2025) (sec.cloudapps.cisco.com)
  5. Cisco Detection Guide for Continued Attacks against Cisco Firewalls (ArcaneDoor) (September 25, 2025) (sec.cloudapps.cisco.com)
  6. NVD Entry: CVE‑2025‑20333 (ASA/FTD VPN Web Server RCE) (September 25, 2025) (nvd.nist.gov)
  7. NVD Entry: CVE‑2025‑20363 (Web Services RCE across ASA/FTD/IOS families) (September 25, 2025) (nvd.nist.gov)
  8. Cisco Advisory: Web Services RCE in ASA/FTD/IOS/IOS XE/IOS XR (CVE‑2025‑20363) (September 25, 2025) (sec.cloudapps.cisco.com)
  9. The Hacker News: Cisco ASA Firewall Zero‑Day Exploits Deploy RayInitiator and LINE VIPER Malware (September 26, 2025) (thehackernews.com)
  10. MITRE ATT&CK: Modify System Image (T1601.001) and Pre‑OS Boot (T1542.*) (attack.mitre.org)
  11. Reuters: US sounds alarm over hackers targeting Cisco security devices (September 25, 2025) (reuters.com)

Cathy Gaphty

Cathy is a cybersecurity-focused technical writer who turns complex security concepts into clear, usable content for practitioners and decision-makers. She partners with security engineers, analysts, and product teams to create architecture guides, API references, runbooks, and user documentation for the Léargas Security platform, and its integrated systems. Her work supports incident response, threat detection, and compliance initiatives aligned to frameworks such as NIST CSF and ISO 27001.

Cathy favors a docs-as-code approach with Git and Markdown, validating steps in lab environments to ensure accuracy down to commands and configurations. Known for crisp, audience-specific writing and meticulous reviews, she bridges the gap between security theory and day-to-day operations.

    Recommended Posts

    Fortinet Authentication Bypass Vulnerabilities Exploited
    Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance
    AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing
    FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance