The Cybersecurity and Infrastructure Security Agency’s Urgent Directive
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) mandated that U.S. government entities address several vulnerabilities within Cisco networking products. This directive was issued amidst reports that an “advanced threat actor” was executing a “widespread” campaign exploiting these weaknesses.
According to CISA, “This activity presents a significant risk to victim networks,” as detailed in an emergency directive that stipulates a stringent timeline for agencies to identify, scrutinize, and rectify susceptible devices.
The hacking initiative is an extension of the intricate “ArcaneDoor” operation, which was first disclosed in April 2024. This campaign has infiltrated numerous federal agencies, as reported by two anonymous U.S. officials involved in the ongoing investigation.
One U.S. official indicated that at least ten organizations globally have been compromised, although this figure may rise as more information becomes available. The official noted that many facets of the campaign remain “unknown.”
A second U.S. official characterized the campaign as “very sophisticated,” emphasizing the complex nature of the hackers’ malware.
“CISA is deeply concerned about this activity,” stated the official, warning, “If agencies don’t act promptly, the consequences could be dire.”
A spokesperson for CISA did not immediately respond regarding the ramifications of the federal breaches.
Cisco Firewalls in Jeopardy
There are three vulnerabilities identified—two classified as critical (CVE-2025-20333 and CVE-2025-20363) and one of medium severity (CVE-2025-20362). These vulnerabilities impact two families of Cisco firewalls: Adaptive Security Appliance devices and Firepower Threat Defense devices running the ASA software.
Government agencies first reached out to Cisco in May for assistance in investigating the intrusions. As stated by Cisco, “Attackers were observed exploiting multiple zero-day vulnerabilities and employing advanced evasion techniques,” which included manipulating software embedded in devices’ read-only memory to ensure their persistence across reboots and software updates.
Cisco urged clients to upgrade to newer software versions that rectify the vulnerabilities and eliminate the intruders’ footholds. The company stated that evidence showed the hackers had exploited two of the three vulnerabilities in the current campaign.
In its emergency directive, CISA underscored the hackers’ alarming capability to persist in read-only memory, a skill demonstrated “at least as early as 2024.” CISA established a deadline for agencies to submit forensic images of affected devices by the end of Friday.
Following that, agencies must permanently disconnect Cisco ASA devices that lose support on September 30 and update supported devices to new firmware by Friday’s end, reporting back to CISA before midnight on October 3.
Collaborative Efforts Between UK NCSC and CISA
On Thursday, the U.K. National Cyber Security Centre (NCSC) also urged organizations to update vulnerable devices and published an analysis of two malware variants employed in these attacks.
CISA and NCSC have engaged in “extremely close” collaboration throughout the investigation, according to the first U.S. official, who described this coordination as “the deepest technical collaboration I’ve ever seen with an international partner.”
The intrusions were communicated to U.S. authorities through industry insights and intelligence tips, with NCSC employees bringing significant expertise regarding ArcaneDoor activities.
Initially attributing the ArcaneDoor campaign to a threat actor referred to as UAT4356, Cisco noted, “This actor employed bespoke tooling that displayed a clear focus on espionage and an intimate understanding of the targeted devices,” reflecting the hallmarks of a sophisticated state-sponsored entity.
The nature of the new campaign aligns with the tactics of this threat actor, an observation validated by the first U.S. official.
In its 2024 disclosure of ArcaneDoor, Cisco revealed a “dramatic and sustained increase” in efforts to infiltrate its products installed at the peripheries of critical infrastructure sectors, such as energy and telecommunications.
“As a critical pathway for data flowing in and out of a network, these devices require regular and timely patches, use of modern hardware and software versions, and stringent security monitoring,” Cisco stated.
“Securing these devices allows an actor to pivot directly into an organization, reroute or modify traffic, and oversee network communications.”
Source link: Cybersecuritydive.com.
