AI Trailblazer Award

Insights

CISA Emergency Directive 25-03: What CISOs Need to Know

Last updated: July 9, 202614 mins read
CISA Emergency Directive 25-03: What CISOs Need to Know

You’ve just been notified that CISA has issued Emergency Directive 25-03 targeting critical vulnerabilities in Cisco devices. Your inbox is flooded with urgent messages from your team, vendors are calling about emergency patches, and your CEO wants to know if your organization is at risk. You need to act fast, but compliance directives often feel like checkbox exercises rather than meaningful security improvements.

This isn’t just another compliance hurdle. ED 25-03 represents a real-world test of your organization’s core security functions—from asset management and vulnerability response to executive communication and incident readiness.

In this article, we’ll break down exactly what CISOs need to know about CISA Emergency Directive 25-03, providing a strategic analysis of its implications and a practical guide to leveraging this mandate for long-term security improvements.

Deconstructing the Threat: Why CISA Issued ED 25-03

The Directive at a Glance

On September 25, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 to address an ongoing exploitation campaign targeting Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices. This directive is authorized under Section 3553(h) of Title 44, U.S. Code, and while it formally applies to federal civilian executive branch agencies, it serves as critical guidance for all organizations using the affected devices.

The Threat Actor: Who is ArcaneDoor?

ArcaneDoor is an advanced threat actor with a documented history of targeting networking infrastructure, particularly Cisco devices. What makes this threat actor particularly dangerous is their sophisticated capability to manipulate read-only memory (ROM) on compromised devices, making their infections persistent and extraordinarily difficult to detect through standard monitoring tools. According to The Hacker News, ArcaneDoor has been linked to several high-profile breaches where the initial access point was compromised network equipment.

The Critical Vulnerabilities

The directive addresses two critical vulnerabilities that have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:

  1. CVE-2025-20333 (CVSS Score: 9.9 Critical)
    • An improper validation flaw in HTTP(S) requests that allows an authenticated remote attacker with valid VPN credentials to achieve remote code execution.
    • This vulnerability effectively gives attackers full control over the device once they have valid credentials.
  2. CVE-2025-20362 (CVSS Score: 6.5 Medium)
    • An improper validation flaw that allows an unauthenticated remote attacker to access restricted URL endpoints.
    • While rated Medium in isolation, this vulnerability becomes critical when chained with CVE-2025-20333.

What makes these vulnerabilities particularly dangerous is that attackers are chaining them together: first using CVE-2025-20362 to bypass authentication requirements, then exploiting CVE-2025-20333 to execute malicious code with elevated privileges, ultimately achieving full device control.

The Scope of Impact

The directive specifically identifies the following Cisco devices as in-scope:

  • Cisco ASA hardware appliances
  • ASA-Service Module (ASA-SM)
  • ASA Virtual (ASAv)
  • Firepower Threat Defense (FTD) appliances

These devices are common at network boundaries in organizations of all sizes, making them high-value targets for attackers seeking initial access into corporate networks.

The Mandate: A CISO’s Action Plan for ED 25-03

The directive outlines specific actions that federal agencies must take with strict deadlines. For private sector organizations, while not legally bound by the directive, these actions represent security best practices that should be implemented with similar urgency.

Action 1: IDENTIFY (Deadline: Immediate)

Requirement: Organizations must immediately inventory their networks to identify all instances of the in-scope Cisco devices.

CISO Takeaway: This is a direct test of your asset management program and CMDB accuracy. Incomplete or outdated inventories will result in missed devices, leaving potential attack vectors unaddressed. If you’ve been putting off improving your asset management program, this directive provides the perfect justification to prioritize it.

Many organizations struggle with maintaining accurate device inventories, especially for network infrastructure that may have been deployed years ago. This mandate exposes the risk this poses: you cannot secure what you don’t know you have.

Action 2: HUNT & SUBMIT (Deadline: 11:59 PM EDT on September 26, 2025)

Requirement: Organizations must follow CISA’s step-by-step Core Dump and Hunt Instructions to collect forensic data (core dumps) from all identified devices.

The collected core dumps must then be submitted to CISA via the Malware Next Gen portal for analysis.

Decision Tree:

  • If CISA reports “Compromise Detected”:
    1. Disconnect the device immediately without powering it off to preserve forensic evidence
    2. Report the incident to CISA
    3. Initiate incident response and eviction procedures, using guidance like CISA’s Eviction Strategies Tool
  • If CISA reports “No Compromise Detected”:
    1. Proceed to the mitigation actions

CISO Takeaway: This phase tests your incident response capabilities, forensic readiness, and technical expertise. The CLI-intensive nature of core dump procedures exposes potential skills gaps in your team. As one user noted in a Reddit thread, “I tried using the GUI to Backup and Restore but it doesn’t seem to work.” This highlights the importance of maintaining CLI proficiency among your team members, especially for critical security operations.

Action 3: MITIGATE (Deadlines: Sept 26 & Sept 30, 2025)

Requirement 1 (Supported Devices): By September 26, 2025, apply the latest security updates provided by Cisco for all supported models.

Requirement 2 (Unsupported Devices): By September 30, 2025, disconnect all devices that have reached end-of-support (EoS).

CISO Takeaway: This directive forces a resolution for technical debt. End-of-support devices represent a known risk that many organizations have been reluctant to address due to cost or operational concerns. This directive provides the mandate to finally remove these devices or justify their emergency replacement.

The tight timeline also tests your patch management capabilities and deployment processes. Organizations with mature, automated patch management will find compliance significantly easier than those relying on manual processes.

Action 4: REPORT (Deadline: October 2, 2025)

Requirement: Submit a comprehensive report detailing:

  • A complete inventory of all affected products
  • The status of core dump submissions for each device
  • The results of CISA’s analysis (“Compromise Detected” or “No Compromise Detected”)
  • Actions taken for each device (patched, disconnected, or under incident response)

CISO Takeaway: This reporting requirement highlights the need for meticulous documentation throughout your response process. Organizations without proper documentation practices will find this phase particularly challenging, as they scramble to reconstruct the actions taken over the previous days.

Beyond the Checklist: Strategic Implications for CISOs

While immediate compliance with ED 25-03 is critical, forward-thinking CISOs should view this directive as an opportunity to strengthen their overall security posture and demonstrate value to executive leadership.

From Reactive Compliance to Proactive Resilience

Many security leaders struggle with data automation and reliable metrics, as highlighted in a Reddit discussion among CISOs. One CISO asked: “How much did you automate? Do you pull the numbers manually, what sources and data points do you use and how much value do they bring to the organisation?”

This directive provides a perfect opportunity to evaluate and improve your automation capabilities. Tools like those mentioned by Puppet can streamline inventory, patching, and compliance reporting, shifting your security posture from reactive to proactive.

Consider how your team responded to this directive:

  • Was your inventory process manual and time-consuming?
  • Did you struggle to collect and submit core dumps efficiently?
  • Was your patch deployment process smooth or chaotic?

Use these insights to justify investments in automation and process improvements that will enhance your readiness for future incidents.

Pressure-Testing Your Incident Response (IR) Plan

Generic incident response templates “have been made so generic that they aren’t actually useful,” according to a Reddit discussion on IR planning. ED 25-03 serves as a live-fire exercise for your IR capabilities.

Ask yourself these critical questions:

  • Was your “phone tree” effective? Did everyone know who to contact and when?
  • Were your documentation procedures clear and followed consistently?
  • Did your team know how to collect forensic data from network devices?
  • Was your coordination with IT and network teams smooth or contentious?

Use this experience to refine your IR plan based on real-world performance, aligning with frameworks like NIST SP 800-61 for a more tailored approach. As one Reddit user advised, “Avoid templates as they should be tailored to your business and cover events for people, systems, buildings, and third parties at minimum.”

Communicating Risk and Value to the C-Suite

Many CISOs struggle with establishing effective feedback mechanisms from C-level executives. One CISO asked on Reddit: “What does your feedback loop look like (eg C-level to you about the content of the report, used as input for roadmaps)?”

ED 25-03 provides an opportunity to demonstrate your security program’s value using metrics that resonate with executives:

Efficiency Metrics:

  • “Our team identified and collected forensics from 150 devices in 18 hours.”
  • “We deployed patches to 95% of affected systems within 24 hours of availability.”

Risk Reduction Metrics:

  • “We identified and removed 12 end-of-support devices, eliminating a major source of unpatchable risk from our network edge.”
  • “Our rapid response prevented potential compromise of systems that process $X million in transactions daily.”

Program Maturity Metrics:

  • “This event revealed a gap in our asset management automation, and we have a plan to address it in Q4.”
  • “Our incident response process successfully coordinated 3 different teams across 2 time zones with zero delays.”

By framing your response in terms of business value and risk reduction, you can strengthen executive support for your security initiatives.

The Compliance-Security Symbiosis

The cybersecurity community often debates whether compliance equals security. As one Reddit user noted: “A compliant system doesn’t strictly mean it’s secure.”

While this is true, another user made an equally important point: “If you don’t have a framework you are pissing into the wind.” Compliance directives like ED 25-03 provide that framework and create the leverage security leaders need to address long-standing issues.

Use this directive to:

  • Justify the replacement of aging, vulnerable infrastructure
  • Secure budget for security automation tools
  • Implement more robust asset management practices
  • Enhance your incident response capabilities

By strategically leveraging compliance requirements to drive genuine security improvements, you can break the “culture of ‘checking the box'” that many organizations fall into.

Common Pitfalls and Pro Tips

As you navigate compliance with ED 25-03, be aware of these common pitfalls and leverage our pro tips to ensure a successful response.

Common Pitfalls to Avoid

Pitfall 1: Neglecting Legacy Devices

The directive explicitly requires disconnecting end-of-support devices by September 30, 2025. Failing to do so is a direct compliance violation. Many organizations attempt to hide or exclude legacy devices from their inventory, but this approach creates significant security risks.

Pitfall 2: Over-reliance on GUI Tools

Core dump procedures are often CLI-intensive. As one frustrated user noted on Reddit: “I tried using the GUI to Backup and Restore but it doesn’t seem to work.” Ensure your team has the necessary technical skills to execute CLI commands confidently.

Pitfall 3: Incomplete Documentation

The final report to CISA requires meticulous record-keeping of all actions taken. Organizations that fail to document their response process in real-time will struggle to compile accurate reports under tight deadlines.

Pitfall 4: Ignoring High Availability Configurations

In high availability (HA) environments, special procedures may be required. As one Reddit user questioned: “Am I supposed to login to both units using GUI and backup each configurations individually and restore individually?” Failure to understand the nuances of HA environments can lead to unnecessary downtime or incomplete remediation.

Pitfall 5: Treating the Directive as a One-time Event

Some organizations will view ED 25-03 as a one-time compliance exercise rather than an opportunity to improve their security posture. This mindset misses the chance to address systemic issues in asset management, patch deployment, and incident response.

Pro Tips for Effective Execution

Pro Tip 1: Collaborate Intensely

A CISO must work hand-in-glove with IT and network teams. This is not just a security-owned task. Create a cross-functional response team with clear roles and responsibilities. Establish regular touchpoints to monitor progress and address issues quickly.

Pro Tip 2: Leverage Automation Where Possible

Tools that automate inventory, patch deployment, and compliance reporting can significantly reduce the burden on your team. For organizations with large numbers of Cisco devices, automation is not just convenient—it’s essential for meeting the tight deadlines.

Pro Tip 3: Document Everything in Real-time

Maintain a detailed log of all actions, decisions, and device statuses from day one. This documentation will be invaluable when preparing your final report and can serve as evidence of due diligence if questions arise later.

Pro Tip 4: Conduct a Post-Mortem

Once the deadlines are met, gather your team to analyze the response: What worked well? Where were the bottlenecks? Use these lessons to justify investments in automation, training, or asset management tools. Document specific findings and recommendations to present to executive leadership.

Pro Tip 5: Develop Custom Playbooks for Future Incidents

Use the experience gained from responding to ED 25-03 to develop custom playbooks for similar incidents. As one Reddit user advised regarding incident response plans: “Avoid templates as they should be tailored to your business.” Your ED 25-03 response can provide valuable insights for creating these tailored procedures.

Turning a Mandate into a Mission

CISA Emergency Directive 25-03 is more than just another compliance requirement—it’s a powerful catalyst for change within your organization. By strategically approaching this directive, CISOs can:

  1. Prove the value of their security program by demonstrating efficient response to a high-profile threat
  2. Reduce tangible risk by removing vulnerable devices and strengthening security controls
  3. Build a more resilient organization by improving asset management, patch deployment, and incident response capabilities

The directive tests your ability to know what you have (asset management), protect what you have (vulnerability management), detect threats (forensic capabilities), respond effectively (incident response), and communicate value (executive reporting). These are the core functions of any mature security program.

As you work through the requirements of ED 25-03, remember that compliance and security need not be opposing forces. When approached strategically, compliance directives can provide the structure and justification needed to implement meaningful security improvements.

By treating this mandate as a mission rather than a checkbox, you’ll not only meet CISA’s requirements but also strengthen your organization’s security posture for the challenges that lie ahead.

Frequently Asked Questions

What is CISA Emergency Directive 25-03?

CISA Emergency Directive 25-03 is a mandate requiring federal agencies to identify, assess, and mitigate critical vulnerabilities in specific Cisco networking devices being actively exploited by the ArcaneDoor threat actor. The directive targets vulnerabilities CVE-2025-20333 and CVE-2025-20362 in Cisco ASA and FTD devices and outlines a four-step action plan: identifying all affected devices, hunting for signs of compromise, mitigating the threat by patching or disconnecting hardware, and reporting the results back to CISA.

Why was ED 25-03 issued?

ED 25-03 was issued in response to an active exploitation campaign by a sophisticated threat actor known as ArcaneDoor, who is using two critical vulnerabilities to gain full control of Cisco security appliances. The threat actor chains two vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to bypass authentication and execute remote code. Due to the widespread use of these Cisco devices at network boundaries and the severity of the exploit, CISA issued the emergency directive to prevent widespread compromise of federal networks and provide critical guidance for the private sector.

Who needs to comply with CISA ED 25-03?

While the directive formally mandates compliance for all U.S. federal civilian executive branch (FCEB) agencies, it serves as critical guidance for any organization—public or private—that uses the affected Cisco ASA and FTD devices. The vulnerabilities and the threat actor are not limited to targeting federal agencies. CISA strongly urges all organizations to review the directive and implement the recommended actions to protect their networks from the same risks of network compromise, data breaches, and operational disruption.

How should my organization respond to ED 25-03?

Your organization should follow the four-step action plan outlined in the directive: Identify, Hunt, Mitigate, and Report. First, immediately identify all in-scope Cisco ASA and FTD devices on your network. Second, hunt for signs of compromise by collecting and submitting forensic data (core dumps). Third, mitigate the risk by applying patches to supported devices and disconnecting unsupported, end-of-life hardware. Finally, while private organizations don’t report to CISA, you should report internally to document the actions taken and the risk reduction achieved.

What is the biggest challenge in complying with this directive?

The biggest challenges are often foundational security weaknesses, such as incomplete asset inventories, outdated patch management processes, and a lack of forensic readiness. The directive’s tight deadlines expose gaps in core security functions. Organizations may struggle to locate all affected devices if their asset management is poor, and the CLI-intensive forensic data collection can be difficult for teams without deep technical expertise. Finally, removing end-of-support devices can be a major hurdle if they are part of critical business processes, highlighting the risks of accumulated technical debt.

How can I use ED 25-03 to improve my security program?

You can leverage the urgency of this directive as a catalyst to gain executive support and budget for long-term security improvements. Use the response effort to demonstrate the value of your security program by framing the outcome in business terms, such as “we secured devices processing $X million in daily transactions.” Use any identified gaps—like slow manual patching or a poor device inventory—to justify investments in automation, better asset management tools, and enhanced incident response playbooks. This turns a reactive compliance exercise into a strategic win for proactive security.

This article provides general guidance and does not constitute legal advice. Organizations should consult with legal counsel and security professionals to ensure appropriate compliance with CISA directives and other regulatory requirements.

Related Articles