The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a powerful Emergency Directive (ED 25-03) to all federal agencies, warning that critical security vulnerabilities found in Cisco equipment (CVE-2025-20333, CVE-2025-20362) "pose unacceptable risk levels to federal information systems," and requiring patch completion within 48 hours. This is not a simple recommendation but a legally binding mandatory order, with CISA warning that actual attacks targeting these vulnerabilities are already underway.
CVE-2025-20333 is a Remote Code Execution (RCE) vulnerability allowing attackers to take over devices from outside, while CVE-2025-20362 is a critical privilege escalation vulnerability allowing elevation to full system control from inside the device. Combined, these create worst-case scenarios where network perimeters are completely breached. Adding to severity: CISA found that while many devices were reported as "patched," they were actually still running vulnerable software versions — meaning attackers had access to exploitable versions while agencies believed they were protected.
ED 25-03 requires all federal agencies to update all devices to the latest patches within 48 hours. For internet-exposed ASA devices, it mandates "Core Dump & Hunt" steps 1-3 with submission of collected core dump files to the Malware Next Gen portal. Agencies that operated vulnerable versions must resubmit reports to CyberScope, with CISA conducting direct follow-up verification.
The reason for this unusually powerful emergency directive is that it comes immediately after a large-scale intrusion campaign dubbed "Arcane Door," where attackers exploited Cisco device vulnerabilities to bypass VPN authentication and access federal agency internal networks. The US government has since formally declared "vulnerabilities in network perimeter equipment are a national security threat." Experts predict this signals three changes: "patch within 48 hours" norms becoming standard for federal agencies; software supply chain-based verification (SBOM/version validation) being strengthened; and the global security equipment market being required to adopt faster patch distribution, automatic verification, and threat information sharing.
