CISA Issues Emergency Directive to Patch Cisco Firewall Vulnerabilities Exploited in Cyberattack Campaign

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent order to US federal agencies to address major vulnerabilities in Cisco networking devices. According to CISA, an advanced threat actor has been aggressively exploiting these defects in what it calls a "widespread campaign," posing a considerable risk to victim networks.

This hacking incident is associated with ArcaneDoor, a sophisticated cyber operation that Cisco initially disclosed in April 2024. Officials in the United States revealed that many federal agencies have already been compromised with at least ten organizations affected worldwide.  Experts fear that the number may grow as investigations continue.

The security vulnerabilities impact two types of Cisco firewalls, which are Adaptive Security Appliance (ASA) devices and Firepower Threat Defense devices based on ASA software.There are three vulnerabilities in total, which are two critical (CVE-2025-20333 and CVE-2025-20363) and one medium risk (CVE-2025-20362). Cisco revealed that hackers had already exploited at least two of those weaknesses using advanced zero-day attacks (which means the problem was unknown and had no fix when first exploited).

One of the most concerning findings is that hackers tampered with a software program embedded in the devices' read-only memory. This enabled them to go undetected even after reboots or software updates, which is a rare and advanced ability that makes the attack very dangerous.

CISA's emergency mandate establishes strict timeframes for agencies to safeguard their systems. Agencies must first identify and assess all vulnerable devices before submitting forensic images for additional inquiry. Supported devices must be updated with the most recent firmware immediately, and older Cisco ASA devices that are no longer supported must be permanently disconnected after September 30. Finally, agencies are required to report their progress to CISA by October 3. If these procedures are not taken, networks may remain vulnerable to current intrusions and future exploitation.

Cisco has recommended every user, including government institutions, to upgrade to the fixed versions of ASA software.The company underlined that updates will eliminate the hackers' presence and protect devices from future threats. Meanwhile, the United Kingdom's National Cyber Security Centre (NCSC) has joined CISA in alerting organizations globally. NCSC also published a study of the malware employed in these attacks, demonstrating how advanced and persistent the threat is.

This campaign emphasizes how important network security has become. With attackers exploiting Cisco firewalls in such sophisticated ways, businesses must act immediately. Patching, upgrading firmware, and remaining attentive against emerging threats remain the most effective defenses.

This article is based on information from Cybersecurity Dive