On September 25, 2025, US cybersecurity officials issued an emergency directive after discovering that hackers had compromised a federal agency using vulnerabilities in Cisco firewall devices.

The attackers used flaws that had not been publicly known at the time, allowing them to break into systems and remain hidden. These flaws were found in Cisco’s Adaptive Security Appliance (ASA) and Firepower devices, which are widely used across government networks.

The campaign is believed to be part of a broader effort linked to China.

It focused on older Cisco hardware that lacked key security protections, making it easier for the attackers to gain control and stay inside systems over time.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) issued Directive 25-03, requiring federal agencies to act immediately to assess the damage and secure affected systems.

This is more than a one-time incident. It is a warning about the long-term risks of relying on outdated security equipment.

Why It Matters: Devices designed to protect government networks were used as a way in. This attack shows how advanced threats can take advantage of overlooked weaknesses in network infrastructure. It also highlights the risks of continuing to use hardware that no longer receives full support. A failure to act quickly could allow attackers to collect data or damage systems. The directive is a push to improve the overall health of federal cybersecurity systems.

• The Attackers Used Software Flaws to Take Control of Cisco Firewall Devices: Hackers found ways to run remote commands on Cisco ASA and Firepower appliances. They used at least two major vulnerabilities: one that allowed code to be run without logging in, and another that let them increase their level of access. In some cases, they were also able to change part of the devices’ firmware, which helped them stay hidden even after updates or restarts. This level of access made it very difficult for security teams to detect or remove the threat.

• The Campaign is Connected to a Known Hacking Group: The breach has been linked to a group that was also behind the ArcaneDoor attacks, which were disclosed in 2024. This group, tracked under names such as UAT4356 and Storm-1849, is believed to have ties to the Chinese government and has consistently focused on targeting government systems and infrastructure. Their techniques included turning off logging features to hide activity, intercepting administrator commands to stay in control of the device, and deliberately crashing systems to block forensic investigation.

• The Government Issued a Directive Requiring Immediate Action: Emergency Directive 25-03 outlines specific steps that federal agencies must take. All agencies are required to locate and assess their Cisco ASA and Firepower devices. If a device is found to be compromised, it must be disconnected but not turned off, so that investigation can continue. Agencies must apply software updates, remove unsupported devices from their networks, and provide a full report to the Cybersecurity and Infrastructure Security Agency (CISA) within a set deadline.

• Older Hardware was a Key Weakness in This Attack: Many of the affected devices were already outdated or close to reaching the end of their support lifecycle. These models did not include more modern protections such as Secure Boot or Trust Anchor, which help prevent unauthorized changes. Cisco has confirmed that only devices missing these protections were successfully attacked. Systems that still rely on unsupported hardware are being required to either upgrade or permanently disconnect.

• The Incident Fits Into a Larger Pattern of Cyber Activity: This is not an isolated event. Around the same time, a different group of suspected Chinese hackers was reported targeting US law firms and software providers. These intrusions involved the use of stealthy techniques to access internal systems and data. The British government also issued a warning about the Cisco-related campaign, stating that the tools used in the attack showed a significant advancement from those observed in previous incidents.

• Cisco Released Patches and Recovery Steps for Customers: In response to the breach, Cisco worked with government investigators and released updated software that fixes the known vulnerabilities. For devices that were compromised, Cisco recommends a full reset to factory settings after updating, along with replacing all passwords, encryption keys, and certificates. The company also published detailed steps to help customers detect signs of attack and confirm whether the firmware had been altered.

Go Deeper -> US officials issue ‘emergency’ cybersecurity order after hackers breach at least one government agency – CNN

ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices – CISA

Cisco Event Response: Continued Attacks Against Cisco Firewalls – Cisco