Changeflow GovPing Financial Regulation Cybersecurity Alert: Cisco Zero-Day Vulnerabili...
Urgent Notice Added Final

Cybersecurity Alert: Cisco Zero-Day Vulnerabilities

Favicon for www.dfs.ny.gov NY DFS Industry Letters
Published September 26th, 2025
Detected February 12th, 2026
Email

Summary

The New York State Department of Financial Services issued a cybersecurity alert regarding active exploitation of Cisco zero-day vulnerabilities. Regulated entities are required to immediately identify affected Cisco devices and follow remediation steps outlined by CISA, including potential disconnection of end-of-support hardware.

View original document View source feed page

What changed

The New York State Department of Financial Services (DFS) has issued an industry letter alerting regulated entities to active exploitation of critical zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower Threat Defense (FTD) devices. The vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, allow for remote code execution and privilege escalation, posing a substantial risk to victim networks. The DFS is directing entities to follow remediation actions provided by CISA, which include immediate identification of affected devices and specific instructions for public-facing ASA hardware.

DFS-regulated entities must act immediately to identify all affected Cisco ASA and Firepower appliances. For public-facing ASA hardware, entities must perform core dump analysis; if compromise is detected, the device must be disconnected from the network and DFS notified if it constitutes a Cybersecurity Incident. Devices with an end-of-support date on or before September 30, 2025, must be permanently disconnected by that date, or a documented risk assessment justifying continued use and a decommissioning plan must be provided. Failure to comply with these directives could result in regulatory action or other penalties as defined by DFS regulations.

What to do next

  1. Immediately identify all affected Cisco ASA and Firepower devices.
  2. Perform core dump analysis on public-facing ASA hardware and follow CISA instructions.
  3. Disconnect end-of-support ASA hardware by September 30, 2025, or document justification and decommissioning plan.

Source document (simplified)

Industry Letter

Date: September 26, 2025

To: DFS-Regulated Entities

Re: Cybersecurity Threat Alert – Cisco Zero-Day Vulnerabilities

The New York State Department of Financial Services (“DFS”) is alerting regulated entities to an active cybersecurity campaign by an advanced threat actor targeting zero-day vulnerabilities in Cisco Adaptive Security Appliances (“ASA”) and in specific versions of Cisco Firepower. The vulnerabilities allow for remote code execution (CVE-2025-20333), privilege escalation (CVE-2025-20362), and manipulation of read-only memory  to persist through reboot and system upgrade. The threat activity presents substantial risk to victim networks, and the vulnerabilities should be addressed immediately.

The United States Cybersecurity and Infrastructure Security Agency (“CISA”) has issued an emergency directive outlining actions to remediate the threat. The remediation actions identified therein, with minor modifications to address the distinction between Federal civilian executive branch agencies and DFS-Regulated Entities, are:

  1. Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module, ASA Virtual (“ASAv”), and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (“FTD”) appliances.

  2. For all public-facing Cisco ASA hardware appliances: Follow CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3. DFS-Regulated Entities are encouraged to submit core dump(s) via the Malware Next Gen portal as soon as practicable to help further remediate this threat.

    1. If the result is “Compromise Detected,” immediately disconnect the device from the network (but not power off) and notify DFS to the extent that the compromise meets the definition of a Cybersecurity Incident in 23 NYCRR § 500.1(g). Additionally, DFS-Regulated Entities are encouraged to report any Cyber Threat Indicator(s) and Defensive Measure(s) to CISA as soon as practicable. Please see Title 6 United States Code § 1501 for additional information on sharing Cyber Threat Indicators and Defensive Measures with the Federal Government.
    2. If the result is “No Compromise Detected,” DFS-Regulated Entities may proceed to steps 3 and 4. If the result is “No Compromise Detected”:

  3. For ASA hardware models with an end of support date on or before September 30, 2025, take the following action: Permanently disconnect these devices on or before September 30, 2025, as these legacy platforms/releases cannot meet current vendor support and update requirements.

    1. DFS-Regulated Entities that cannot meet this remediation action must apply the latest Cisco-provided updates as soon as possible and document, in an internal risk assessment, the mission critical needs preventing such action and plans for eventual decommissioning of the device.

  4. For ASA hardware models with an end of support date of August 31, 2026: Download and apply the latest Cisco-provided updates as soon as possible and apply all subsequent updates via Cisco’s download portal within 48 hours of release.

  5. For all ASAv and Firepower FTD: Download and apply the latest Cisco-provided updates as soon as possible and apply all subsequent updates via Cisco’s download portal within 48 hours of release.
    If others in your organization should receive this alert, please forward this email as soon as possible and encourage them to opt-in to receive future “ Cybersecurity Updates ” from DFS.

Related changes

Favicon for www.dfs.ny.gov New York Behavioral Health Treatment Access Campaign Launched
Routine Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for www.dfs.ny.gov Statement on FY 2027 Executive Budget Hearing
Routine Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for www.dfs.ny.gov New York Regulation for Buy Now, Pay Later Loans
Priority review Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.dfs.ny.gov
NY DFS Industry Letters dfs.ny.gov/industry_guidance/industry_letters
Financial Regulation
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
State Insurance Departments (10 States)
Published
September 26th, 2025
Compliance deadline
September 30th, 2025 (165 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Insurers Financial advisers Technology companies
Geographic scope
State (New York)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Information Technology Risk Management

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Financial Regulation alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when NY DFS Industry Letters publishes new changes.

Free. Unsubscribe anytime.