CISA alerts federal agencies of widespread attacks using Cisco zero-days
Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls.
Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.”
Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.”
The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.
Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.
“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.
Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities.
The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said.
CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.
The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.
“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.
Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.
The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days.
Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical.
When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.
“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”
