CISA Emergency Directive 25-03: DevOps Tasks for Cisco 0-Day

TL;DR (for dev & SRE leads): Turn CISA Emergency Directive 25-03 into a concrete, sprint-ready checklist: discover your Cisco edge, lock management planes, patch & reimage, rotate CI tokens, restrict runner egress, enforce mTLS to artifacts, gate builds on KEV network CVEs, and verify with config/state integrity + detections. CISA also shipped Supplemental Direction with core-dump & hunt instructions—use it to prove you’re clean.

Update (October 12, 2025): We’ve published a step-by-step CVE-2025-59489 Unity mitigation guide covering patched Editor lines, CI/CD hardening, checksums/SBOM, and fleet validation. Read it here: https://www.cybersrely.com/cve-2025-59489-unity-mitigation/.

Contents Overview

What ED 25-03 mandates (in plain English)

Scope: Cisco ASA/FTD/IOS XE devices under active exploitation.
Agency actions: Identify all in-scope devices, analyze for compromise (including core-dump/hunt steps), mitigate immediately, and report.

Supplemental Direction highlights: perform core dumps / forensic collection, hunt for indicators, and follow submission/containment guidance. Use these steps to drive your validation workflow after patching.

Engineering tasks to start today

1) Asset discovery: find every edge path in minutes

Fast sweep (nmap) to spot ASA/FTD/IOS XE on known ranges)

# Discover likely Cisco ASA/FTD/IOS XE on common mgmt ports (22, 443) with service banners
nmap -sV -p 22,443 -O 10.0.0.0/8 192.168.0.0/16 \
  | awk '/Cisco|Adaptive Security Appliance|ASA|IOS XE|Firepower/ {print prev "\n" $0} {prev=$0}'

SNMP truthing (sysDescr)

# Quick sample using net-snmp to confirm Cisco edge gear
for ip in $(cat edge-ranges.txt | xargs -n1 prips); do
  snmpget -v2c -c READONLY $ip 1.3.6.1.2.1.1.1.0 2>/dev/null \
    | awk -v ip=$ip '/Cisco|ASA|IOS XE|Firepower/ {print ip ": " $0}'
done

Need a one-click outside-in view of your web surface? Dropping a screenshot of a scan from our Free Website Vulnerability Scanner here to show leadership the delta before/after patching.

*_{Screenshot of the free tools webpage where you can access security assessment tools for different vulnerability detection.}*

2) Lock the management plane (before you patch)

Cisco IOS XE (harden HTTP/SSH access)

! Disable plaintext HTTP; restrict HTTPS to a mgmt ACL
no ip http server
ip http secure-server
ip access-list standard MGMT-ACL
  permit 10.10.10.0 0.0.0.255
  permit 172.16.50.10
ip http access-class MGMT-ACL
!
line vty 0 4
 access-class MGMT-ACL in
 transport input ssh
 ip access-class MGMT-ACL in
 login local

Cisco ASA/FTD (ASDM/HTTPS/SSH only from jump nets)

! Limit ASDM/HTTPS mgmt and SSH to mgmt VLAN/jumpbox ranges
no http server enable
http 10.10.10.0 255.255.255.0 management
http 172.16.50.0 255.255.255.0 management
ssh 10.10.10.0 255.255.255.0 management
ssh 172.16.50.0 255.255.255.0 management
aaa authentication ssh console LOCAL
!
! Optional: move mgmt to out-of-band interface if available
management-access management

3) Patch/reimage & rebuild trust paths

Apply Cisco fixes then reimage if directed, restore known-good config, and rotate all secrets that transited those gateways (VPN creds, SSO cookies, CI tokens, deploy keys). Validate build SSO/VPN paths end-to-end after patch.

Config integrity hash (pre/post)

# Save and hash running config from ASA/IOS XE for tamper checks
ssh admin@$DEVICE "show running-config" | tee configs/$DEVICE.$(date +%F).cfg
sha256sum configs/$DEVICE.$(date +%F).cfg >> config-hash.log

TLS trust pinning check for SSO endpoints

# Verify your IdP & artifact store cert fingerprints match expected pins
import ssl, socket, hashlib
targets = {
  "idp.example.com:443": "EXPECTED_SHA256_FINGERPRINT_HEX",
  "artifacts.example.com:443": "EXPECTED_SHA256_FINGERPRINT_HEX"
}
for hostport, expected in targets.items():
    host, port = hostport.split(":")
    ctx = ssl.create_default_context()
    with socket.create_connection((host, int(port))) as s:
        with ctx.wrap_socket(s, server_hostname=host) as ssock:
            der = ssock.getpeercert(True)
            fp = hashlib.sha256(der).hexdigest().upper()
            print(host, "OK" if fp == expected else f"MISMATCH {fp}")

CI/CD hardening that blocks replay & exfil

4) Restrict runner egress to an allow-list

iptables on a self-hosted runner

# Default DENY; only allow Git provider, container registry, artifact store, time/NTP, and apt mirrors
iptables -P OUTPUT DROP
# Git provider API & git over HTTPS (example CIDRs via your egress firewall/NAT)
ipset create GITDEST hash:ip
# (populate GITDEST from your resolver or firewall object group)
iptables -A OUTPUT -m set --match-set GITDEST dst -p tcp --dport 443 -j ACCEPT
# Container registry
ipset create REGISTRY hash:ip
iptables -A OUTPUT -m set --match-set REGISTRY dst -p tcp --dport 443 -j ACCEPT
# NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# DNS to local resolver
iptables -A OUTPUT -p udp --dport 53 -d 10.0.0.53 -j ACCEPT
# Loopback & established
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Terraform guardrail for runner subnet (AWS)

resource "aws_security_group" "runner_egress" {
  name   = "ci-runner-egress-allowlist"
  vpc_id = var.vpc_id
  egress {
    description = "Git provider"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = var.git_provider_cidrs
  }
  egress {
    description = "Container registry"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = var.registry_cidrs
  }
  egress { from_port=123 to_port=123 protocol="udp" cidr_blocks=["0.0.0.0/0"] } # NTP
}

5) Enforce mTLS to artifact stores

Nginx sidecar requiring client certs

server {
  listen 443 ssl;
  server_name artifacts.example.com;

  ssl_certificate      /etc/nginx/certs/server.crt;
  ssl_certificate_key  /etc/nginx/certs/server.key;
  ssl_client_certificate /etc/nginx/ca/ci-clients.pem;
  ssl_verify_client on;   # require CI client cert

  location / {
    proxy_pass http://artifact-backend:8080;
  }
}

6) Gate builds on KEV-listed network CVEs until firmware is verified

Inventory-driven gate (GitHub Actions)

name: Block build if edge firmware unverified
on: [push, workflow_dispatch]
jobs:
  kev_gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Fail if any edge device is unverified
        run: |
          python - <<'PY'
          import json, sys
          inv=json.load(open('network_inventory.json'))  # { "devices":[{"ip":"x.x.x.x","model":"ASA","kev_cves":["CVE-2025-20333"],"firmware_verified":true}, ...] }
          bad=[d for d in inv["devices"] if d["model"] in ("ASA","FTD","IOS XE") and d["firmware_verified"] is not True]
          if bad:
            print("ERROR: Unverified edge firmware:", bad); sys.exit(1)
          PY

(Your SecOps job can keep network_inventory.json current, marking firmware_verified=true only after patch+reimage+validation.)

Verify & monitor (post-patch)

7) Run the core-dump/hunt set from CISA’s Supplemental Direction

Use the official Core Dump & Hunt instructions as your post-patch “prove we’re clean” playbook (collection, analysis, submission). Keep the artifacts and timestamps with your change ticket.

ASA quick capture (pre/during hunt)

show version
show inventory
show running-config
show processes cpu-usage non-zero
show interface ip brief
show asp table socket
show conn detail
show vpn-sessiondb anyconnect
copy /pcap capture:<capname> tftp:

8) Detections for suspicious mgmt traffic

Sigma-style rule (convert to your SIEM)

title: Cisco Edge Unusual Mgmt Access
logsource: { product: cisco, service: asa }
detection:
  sel:
    dst_port|contains: [22, 443]
    cisco.mgmt: true
  filter:
    src_ip|outside_subnets:
      - 10.10.10.0/24
      - 172.16.50.0/24
condition: sel and filter
fields: [src_ip, dst_ip, user, outcome]
level: high

9) Document exceptions with owners (time-boxed)

Lightweight exception record (YAML)

exception_id: EX-ASA-07
asset: ASA-5508-X@BRANCH-12
risk: "Mgmt HTTPS open from WAN during emergency maintenance"
owner: "[email protected]"
mitigation: "Temporary WAN ACL + SOC alerting"
expires: "2025-10-23T18:00:00Z"
reviewers: ["[email protected]","[email protected]"]

Secrets & token rotation (because your builds crossed that gateway)

10) Rotate CI secrets used through affected gateways

GitHub Actions: refresh repo secrets from your vault

# Example: rotate a token stored in your secret manager, then push it to GH
NEW=$(your-vault-cli get ci/TOKEN --rotate)     # returns a fresh value
gh secret set DEPLOY_TOKEN --body "$NEW"

GitLab: expire project access tokens

# Revoke existing token by ID; create a short-lived replacement
curl --header "PRIVATE-TOKEN: $ADMIN" \
  -X DELETE https://gitlab.example.com/api/v4/projects/42/access_tokens/1337

curl --header "PRIVATE-TOKEN: $ADMIN" \
  -X POST https://gitlab.example.com/api/v4/projects/42/access_tokens \
  --data "name=deploy&scopes[]=read_registry&expires_at=$(date -d '+7 days' +%F)"

SSO session hygiene for runners

# On runners, wipe cached SSO artifacts/cookies after jobs
rm -rf ~/.config/gh ~/.git-credentials ~/.cache/* /tmp/*.cookie

Ops-ready checklists you can paste into Jira

Discovery & Hardening

Sweep edge address space; confirm Cisco device inventory
Lock mgmt plane (ACLs, HTTPS-only, SSH only from jump nets)
Snapshot configs & hashes

Patch, Reimage, Validate

Apply vendor fixes; reimage if directed
Run Core Dump & Hunt; keep artifacts & timestamps
Rebuild trust paths (SSO/VPN) and validate TLS pins
Rotate CI/CD tokens + deploy keys

CI/CD Controls

Restrict runner egress to allow-listed endpoints
mTLS to artifacts
Gate builds on KEV-flagged network CVEs until firmware_verified=true

Monitoring

Add detections for unusual mgmt traffic
Document exceptions with owners and expiry

(ED 25-03 details and Supplemental Direction published September 25, 2025.)

Sample scan report generated by our tool to check Website Vulnerability (blur/redact sensitive domains).

*_{An example of a vulnerability assessment report generated using our free tool provides valuable insights into potential vulnerabilities.}*

Helpful internal resources (keep it in-house)

Risk Assessment (HIPAA/PCI/SOC 2/ISO/GDPR):
https://www.pentesttesting.com/risk-assessment-services/
Remediation Services (close audit gaps fast):
https://www.pentesttesting.com/remediation-services/
Free Website Vulnerability Scanner:
https://free.pentesttesting.com/

🔐 Frequently Asked Questions (FAQs)

Find answers to commonly asked questions about CISA Emergency Directive 25-03.

Do we have to reimage or is patching enough?

Follow ED 25-03 and the Supplemental Direction. If compromise indicators are present, treat as breach: disconnect, reimage, restore from known-good, and validate with core-dump/hunt plus config/state integrity checks.

Which secrets must we rotate?

Anything that traveled through the affected edge (VPN creds, CI tokens, deploy keys, robot accounts, repo secrets, cookie signing keys). Rotate, shorten TTLs, and re-establish trust from source (IdP or Vault).

How do we prove to auditors we complied?

Keep a change ticket with device inventory, patch artifacts, core-dump/hunt evidence, config hashes, CI token rotation logs, and monitoring rule IDs. This maps to your Risk Assessment and Remediation program.

What about runners in the cloud

Apply the egress allow-list pattern at the subnet/SecGroup layer. Use mTLS for artifacts and KEV-gated builds until firmware verification is complete.

Can your team help us implement this

Yes—start with a risk assessment to prioritize, then use remediation services to close gaps with evidence. See:
https://www.pentesttesting.com/risk-assessment-services/ and
https://www.pentesttesting.com/remediation-services/