Cybersecurity Threat Alert - Cisco Zero-Day Vulnerabilities

Industry Letter

Date: September 26, 2025

To: DFS-Regulated Entities

Re: Cybersecurity Threat Alert – Cisco Zero-Day Vulnerabilities

The New York State Department of Financial Services (DFS) is alerting regulated entities to an active cybersecurity campaign by an advanced threat actor targeting zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and in specific versions of Cisco Firepower. The vulnerabilities allow for remote code execution (CVE-2025-20333), privilege escalation (CVE-2025-20362), and manipulation of read-only memory  to persist through reboot and system upgrade. The threat activity presents substantial risk to victim networks, and the vulnerabilities should be addressed immediately.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive outlining actions to remediate the threat. The remediation actions identified therein, with minor modifications to address the distinction between Federal civilian executive branch agencies and DFS-Regulated Entities, are:

1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module, ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.
2. For all public-facing Cisco ASA hardware appliances: Follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3. DFS-Regulated Entities are encouraged to submit core dump(s) via the Malware Next Gen portal as soon as practicable to help further remediate this threat.
   1. If the result is “Compromise Detected,” immediately disconnect the device from the network (but not power off) and notify DFS to the extent that the compromise meets the definition of a Cybersecurity Incident in 23 NYCRR § 500.1(g). Additionally, DFS-Regulated Entities are encouraged to report any Cyber Threat Indicator(s) and Defensive Measure(s) to CISA as soon as practicable. Please see Title 6 United States Code § 1501 for additional information on sharing Cyber Threat Indicators and Defensive Measures with the Federal Government.
   2. If the result is “No Compromise Detected,” DFS-Regulated Entities may proceed to steps 3 and 4.

If the result is “No Compromise Detected”:

1. For ASA hardware models with an end of support date on or before September 30, 2025, take the following action: Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.
   1. DFS-Regulated Entities that cannot meet this remediation action must apply the latest Cisco-provided updates as soon as possible and document, in an internal risk assessment, the mission critical needs preventing such action and plans for eventual decommissioning of the device.
2. For ASA hardware models with an end of support date of August 31, 2026: Download and apply the latest Cisco-provided updates as soon as possible and apply all subsequent updates via Cisco’s download portal within 48 hours of release.
3. For all ASAv and Firepower FTD: Download and apply the latest Cisco-provided updates as soon as possible and apply all subsequent updates via Cisco’s download portal within 48 hours of release.

If others in your organization should receive this alert, please forward this email as soon as possible and encourage them to opt-in to receive future “Cybersecurity Updates” from DFS.