CISA ED 25-03: Urgent Action on Cisco ASA Firepower VPN Flaws CVE-2025-20333/20362

CISA has issued Emergency Directive ED 25-03 ordering federal agencies to urgently hunt for and mitigate potential compromises of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower devices after adding two Cisco VPN‑server vulnerabilities — CVE‑2025‑20333 (a VPN web‑server remote code execution) and CVE‑2025‑20362 (a VPN web‑server unauthorized‑access issue) — to its Known Exploited Vulnerabilities Catalog; agencies are required to inventory affected devices and collect and transmit memory/core dump files to CISA for forensic analysis by 11:59 p.m. EST on September 26, 2025.

Background / Overview​

Cisco ASA and Firepower appliances have been repeatedly targeted by sophisticated actor campaigns over the past 18 months, and vendor advisories plus international incident reports show a steady pattern of exploitation and memory‑resident backdoors that evade typical file‑based detection. Public reporting and incident advisories from multiple defenders have documented espionage-focused campaigns that abuse WebVPN and Remote Access VPN features to achieve information‑exfiltration, persistent access, and stealthy in‑memory implants.
CISA’s Emergency Directive (ED 25‑03) and the linked supplemental instructions (Core Dump and Hunt Instructions) are explicit: federal civilian agencies must identify every instance of Cisco ASA and Firepower devices in use, perform a sequence of forensic checks, collect memory/text segment dumps and zipped core dumps, and upload those artifacts to CISA’s Malware Next‑Gen (MNG) portal within the ED’s deadline. The directive is mandatory for federal civilian agencies and strongly recommended for non‑federal organizations.

---

What ED 25‑03 requires — the essentials​

• Identify all Cisco ASA and Firepower devices on agency networks (all versions).
• Run the prescribed device checks and collect outputs (commands such as show checkheaps, show tech‑support details, and a binary grep to look for implant signatures).
• Generate and collect a core dump and the system:memory/text segment (CISA provides step‑by‑step commands).
• Upload the core dump and artifacts to CISA’s Malware Next‑Gen (MNG) portal; agencies must register for MNG/login.gov if not already enrolled.
• Submit artifacts to CISA by 11:59 p.m. EST, September 26, 2025.

These are not optional or “best practice” requests for federal civilian agencies — EDs are legally binding directives under federal statute. Non‑federal organizations are urged to review and act but are not bound by the ED’s legal requirements.

---

Technical context: the vulnerabilities and the attacker tradecraft​

CVE‑2025‑20333 and CVE‑2025‑20362 — what CISA says​

CISA’s alert identifies CVE‑2025‑20333 as a VPN web‑server remote code execution vulnerability and CVE‑2025‑20362 as a VPN web‑server unauthorized‑access vulnerability — both tied to Cisco Secure Firewall ASA and Secure Firewall Threat Defense (FTD) products. These entries were added to CISA’s Known Exploited Vulnerabilities Catalog, signaling observed or suspected exploitation in the wild and prioritizing defensive action.

Why memory artifacts matter​

Past campaigns against Cisco ASA/Firepower devices — documented in vendor analyses and national‑CERT reports — have used a two‑stage approach: an initial exploitation of VPN/web services to gain execution and then deployment of a memory‑only implant (a webshell or in‑memory loader) that avoids disk artifacts and persists through unconventional mechanisms. These implants often hook core dump and debug functionality to suppress evidence, making immediate and careful forensic collection critical. The supplemental CISA guidance explicitly warns that deviation from the collection steps can trigger anti‑forensics behaviors that destroy evidence.

Versions and vulnerable code paths​

CISA’s supplemental direction notes that the exploit chain leverages a URL path‑normalization bypass in Clientless SSL VPN/WebVPN endpoints and a heap buffer overflow in the WebVPN file‑upload handler. Importantly, the guidance states that software releases after certain build numbers (for example, versions after 9.17.1.40, 9.18.4.41, 9.19.1.32, and 9.20+) are not vulnerable to the overflow because the vulnerable handler was removed. Operators must therefore correlate device firmware/ASA versions carefully when triaging exposure.

---

Step‑by‑step: what CISA tells agencies to collect (summary)​

CISA’s supplemental direction is procedural and prescriptive. The high‑level steps are:

• Collect device metadata (model, serial number, ASA/FTD version, uptime, ROMMON).
• Run baseline commands and save outputs off‑box:
• show checkheaps (and verify periodic increments)
• show tech‑support details
• a binary grep for artifact hex sequences linked to the implant (CISA provides the specific grep).
• Prepare and force a core dump (note: generating the core dump will cause an immediate device reload).
• Commands: enable coredump on a filesystem (usually disk:0) and run crashinfo force page‑fault.
• Copy the zipped core dump to an external host or removable media (SCP/FTP/TFTP or disk copy options are provided).
• Collect the text segment memory dump (verify SHA‑512 on device, copy via SCP, recompute hash after transfer).
• Upload artifacts to CISA Malware Next‑Gen (MNG) portal (requires login.gov and MNG registration).

CISA emphasizes that these steps must be executed in order and exactly as written to avoid activating anti‑forensic hooks that threat actors have implemented in compromised devices. The supplement even warns that using shell autocomplete (tab) and other shortcuts may be hooked by the implant to trigger a crash.

---

Why this is urgent: operational and national security risk​

• Edge firewalls and VPN concentrators are high‑value gateways: they see aggregated ingress/egress traffic and often hold configuration and credential material that can enable lateral movement. Compromise of ASA/Firepower devices can yield access to internal networks, configuration snapshots, and command‑execution paths. Multiple national CERTs and vendor teams have documented targeted campaigns exploiting WebVPN/ASA vulnerabilities to install persistent backdoors and exfiltrate device configurations.
• Memory‑only implants and anti‑forensics: attackers who operate in‑memory implants (and who deliberately hook core dump/debug code) reduce detection chances and destroy forensic trails when standard recovery steps are taken incorrectly. That makes prompt, coordinated, and precise collection critical to both detection and remediation. CISA’s instructions aim to preserve volatile evidence for central analysis.
• Observed exploitation and intelligence: CISA’s placement of the two CVEs in its Known Exploited Vulnerabilities Catalog is an explicit signal that exploitation has been observed or credibly reported; combined with independent reporting and vendor telemetry, the risk profile is elevated beyond theoretical vulnerabilities.

---

Practical guidance for public‑ and private‑sector operators​

While ED 25‑03 binds federal civilian agencies, non‑federal organizations should treat CISA’s directive as urgent guidance. Below is an operational checklist tailored for network defenders:

• Inventory and prioritize
• Identify all Cisco ASA and Firepower devices on the estate (management IPs, firmware versions, exposure to the internet).
• Prioritize devices that expose WebVPN/Remote Access VPN services or have accessible management interfaces.
• Short‑term containment (if compromise is suspected)
• Isolate suspected devices from high‑value networks; avoid remediation steps that may trigger anti‑forensics (follow CISA’s order of operations if using their collection method).
• If you must disrupt a suspicious device immediately (e.g., active exfiltration), document every action and capture pre‑remediation screenshots/logs.
• Forensic collection (if you have expertise)
• Follow CISA’s command sequence where applicable and save outputs off‑box to an isolated host.
• Collect core dumps and system:memory/text segments and compute SHA‑512 hashes.
• If you are not confident in executing these steps safely, engage a qualified incident response partner or contact CISA via their reporting channels.
• Patching and configuration
• Apply vendor‑provided fixes and upgrades as soon as possible, paying attention to Cisco advisories for these CVEs and the specific ASA/FTD builds that remediate the vulnerabilities.
• If WebVPN is not required, disable it pending patching; otherwise, restrict access with robust ACLs and VPN client restrictions.
• Detection and monitoring
• Search existing logs for indicators of compromise (IOCs) and anomalous WebVPN file‑upload activity, configuration downloads, or unexpected core dump operations.
• Deploy network‑level egress filters, and monitor for unusual outbound connections from firewalls to attacker infrastructure.
• Engage vendors and authorities
• Notify Cisco or your vendor channel, and coordinate with law enforcement/incident response if compromise impacts critical infrastructure or involves data exfiltration.
• Federal agencies must send artifacts to CISA; non‑federal entities should consider submitting suspicious artifacts to CISA’s MNG or coordinating with their ISAC/sector partners.

---

Red flags and detection tips (technical indicators)​

• show checkheaps output not incrementing as expected (a likely indicator of tampering with background processes).
• Presence of the byte sequences that CISA lists in the supplemental instruction grep (running the provided binary grep and seeing any output is an immediate red flag).
• Unexpected core dump behavior: inability to write core dumps, missing expected files after a forced crash, or strange filenames in disk0:/coredumpfsys/.
• Unexplained configuration dumps or “show configuration” being generated or exfiltrated to unknown destinations.
• Outbound connections to suspicious IPs during times when firewall sessions are not expected — especially HTTP/S traffic originating from the firewall itself.

---

Attribution and the intelligence picture — what’s known (and what isn’t)​

Multiple reports from Cisco Talos, national CERTs, and security press indicate that nation‑state or state‑linked cyber actors have targeted Cisco perimeter devices for espionage, with implants such as “Line Dancer” and “Line Runner” (names used in prior disclosures) being memory‑resident or Lua‑based webshells used for stealthy access. Those investigations identified WebVPN attack paths and zero‑day exploitation chains that enable in‑memory payloads and persistence. While some reporting attributes these operations to specific nation‑state groups, attribution in these campaigns is nuanced; defenders should prioritize containment and recovery irrespective of threat actor attribution.
Cautionary note: public attribution can be contested and often relies on telemetry, tradecraft patterns, and intelligence that is not fully public. Treat attributional claims as context, not as a mitigation plan; act on technical detection and containment first.

---

Key strengths and potential risks of CISA’s approach — critical analysis​

Strengths​

• Rapid centralization of forensic analysis: By mandating artifact upload to MNG, CISA can perform centralized, consistent triage and issue cross‑agency intelligence on indicators, improving detection across the federal enterprise. The supplemental instructions are technically precise, reducing ambiguity for on‑the‑ground responders.
• Legal and operational urgency: An ED has the force of law for federal civilian agencies, pushing timely action where bureaucratic delay would otherwise impede response.
• Practical device‑level actions: The guidance provides specific commands and carefully sequenced steps crafted to avoid anti‑forensic triggers—this level of tactical prescriptiveness is rare in federal advisories and is appropriate given the observed threat actor behaviors.

Risks and limitations​

• Operational disruption risk: Forcing core dumps and reboots on active edge devices can cause network outages or degrade critical services; agencies must weigh continuity of operations against forensic needs and prepare for controlled outages during collection. CISA’s guidance notes this explicitly.
• Expertise gap: Not all agencies (or private organizations) possess staff with experience executing low‑level ASA/FTD forensic procedures safely; incorrect execution could corrupt evidence or cause cascading failures. This creates a reliance on CISA‑provided assistance or external IR vendors.
• Speed vs. completeness trade‑off: The ED’s short deadline forces rapid action, which is appropriate for high‑risk incidents but may lead some organizations to rush steps or fail to fully document chain‑of‑custody for forensic artifacts.
• Attribution and policy consequences: Public EDs that highlight nation‑state targeting may carry diplomatic and policy implications; response plans should include legal and communications teams to manage disclosures and stakeholder expectations.

---

Recommendations for organizations (operational playbook)​

• Immediately inventory ASA/Firepower devices and map which run WebVPN/Remote Access VPN.
• Assess whether WebVPN can be disabled or restricted; if not, apply access controls and limit network exposure.
• For suspected compromises, do not improvise — follow CISA’s collection order if you plan to collect artifacts, or retain an experienced IR partner to perform the work.
• Apply Cisco’s vendor updates for the affected CVEs as soon as possible, and document version‑to‑device mappings so you can prove mitigation status if required.
• Monitor for IOAs: anomalous inbound WebVPN uploads, unexpected device‑initiated outbound traffic, and changes in the output of show checkheaps or show tech‑support.
• Prepare for potential service interruptions: schedule maintenance windows for forensic collection and have failover or temporary remote access plans ready for users who depend on VPN services.

---

Verifiable facts, corrections, and cautionary flags​

• Correction to common reporting/typographic errors: the correct CISA‑listed CVE identifiers in ED 25‑03 are CVE‑2025‑20333 and CVE‑2025‑20362 (not CVE‑2025‑30333). Operators should verify CVE numbers against CISA and vendor advisories when searching for patches and advisories.
• Unverifiable claims: some early posts and social media threads allege widespread exploitation of every ASA device globally; while many incidents and targeted campaigns have been documented, blanket claims of universal compromise are not supported by public telemetry and should be treated with caution. Focus on verified indicators specific to your devices.
• Cross‑validation: the core claims in this report (ED issuance, CVE entries, required artifact collection, and the short deadline) are verifiable on CISA’s public ED and supplemental pages; independent reporting from reputable outlets and CERTs corroborates the operational threat narrative (exploitation of WebVPN, memory implants, and anti‑forensic behavior).

---

Final assessment​

CISA’s Emergency Directive ED 25‑03 represents an escalation in federal defensive posture against targeted campaigns impacting network‑edge appliances. The combination of observed in‑memory implants, anti‑forensic techniques, and WebVPN exploitation justifies rapid, centralized forensic collection for at‑scale analysis. For federal agencies the directive is mandatory; for the private sector, the practical takeaway is clear: treat Cisco ASA/FTD WebVPN exposures as critical, inventory and patch swiftly, and if compromise is suspected, preserve volatile memory artifacts and coordinate with experienced responders rather than improvising potentially destructive remediation steps.
Organizations that operate Cisco ASA or Firepower devices should: prioritize their device inventory now, confirm build levels against Cisco’s fixed releases, prepare for the possibility of controlled outages to collect core dumps safely, and coordinate with their sector ISACs, incident response partners, and — where appropriate — CISA for upload and analysis. The technical window to preserve actionable forensic data is small; acting quickly and precisely will materially improve detection, mitigation, and recovery outcomes.

---

Conclusion: ED 25‑03 is a high‑urgency, technically detailed federal directive that responds to real, ongoing exploitation risks targeting Cisco ASA and Firepower VPN/web services. The combined evidence — CISA’s directive and supplemental instructions, vendor advisories, and independent incident reporting — makes this one of the more consequential firewall/VPN incidents in recent years; operators must treat it as an immediate priority and follow the vendor and CISA playbooks to detect, preserve, and remediate potential compromises.

---

Source: CISA CISA Directs Federal Agencies to Identify and Mitigate Potential Compromise of Cisco Devices | CISA