According to GBHackers and CyberPress, threat actors are currently exploiting two n-day vulnerabilities—CVE-2025-20333 and CVE-2025-20362—in Cisco's Firepower eXtensible Operating System (FXOS). These flaws are being weaponized in active campaigns targeting organizations using Firepower devices, creating a direct channel for unauthorized network access.
Cisco's official recommendation is straightforward: reimage affected devices immediately. For non-lockdown Firepower Threat Defense (FTD) systems, the company advises killing the lina_cs process and reloading the device as an interim step. CISA's Emergency Directive ED 25-03 provides additional remediation protocols specifically designed for federal and enterprise environments—a signal that this threat extends across critical infrastructure sectors.
Why this matters: Firepower devices sit at the perimeter of enterprise networks, acting as the primary defense layer between external threats and internal systems. Successful exploitation grants adversaries a foothold inside the security boundary. Once inside, attackers can move laterally across internal networks, access sensitive data, or establish persistent presence for future operations. This is not a theoretical risk—active exploitation is already underway.
The n-day designation means these vulnerabilities are known but unpatched in deployed systems. Organizations running older Firepower versions or those with delayed patch cycles are at immediate risk. The longer these devices remain unpatched, the larger the window for compromise.
What to watch next: Monitor whether CISA updates ED 25-03 with elevated criticality or expanded scope. Track whether additional CVEs surface in Firepower FXOS or related Cisco products, which could suggest a broader vulnerability family. Watch for indicators of compromise (IOCs) specific to CVE-2025-20333 and CVE-2025-20362—if your organization can detect exploitation attempts, you'll have early warning of active targeting.
