Federal agencies not fully patching vulnerable Cisco devices amid ‘active exploitation,’ CISA warns

Federal civilian agencies are not patching vulnerable Cisco devices sufficiently to protect themselves from an exploitation campaign that began in September, the Cybersecurity and Infrastructure Security Agency (CISA) warned Wednesday.

The agency issued an emergency directive in September about two bugs affecting Cisco firewall products that were being exploited by “an advanced threat actor.”

Federal civilian agencies were ordered to report back to CISA about their efforts to mitigate the two vulnerabilities impacting Cisco Adaptive Security Appliances.

OnWednesday, CISA said it has analyzed the data reported by agencies and has “identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the [emergency directive].”

“CISA is tracking active exploitation of these vulnerable versions in [Federal Civilian Executive Branch] agencies,” the directive said. 

CISA provided a detailed list of devices and versions that either have to be updated or switched out for new models. The document covers the minimum software versions that address the vulnerabilities and directs federal agencies to “conduct corrective patching measures on devices that are not compliant with these requirements.”

Any agency that has not already updated to the necessary software version or devices will need to follow new guidance to address “new threat activity.”

CISA did not respond to requests for comment about whether there are federal agencies that have already been breached. 

The release from CISA comes a week after Recorded Future News exclusively reported that Chinese hackers spent much of October scanning for and exploiting the bugs — CVE-2025-30333 and CVE-2025-20362 — at U.S. financial institutions, defense contractors and military organizations.

Incident responders from Palo Alto Networks’ Unit 42 saw scanning and exploitation activity targeting 12 IP addresses used by federal agencies and 11 IP addresses at the local and state government level. 

Government IP addresses in India, Nigeria, Japan, Norway, France, the U.K., the Netherlands, Spain, Australia, Poland, Austria, UAE, Azerbaijan and Bhutan were also targeted.

Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024.

The Cisco devices are used widely by governments and large businesses to consolidate several security tasks into a single appliance. In addition to acting as firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more.

CISA has not attributed the exploitation of the bugs to a threat actor but said it is linked to the same nation-state hackers behind the ArcaneDoor campaign discovered last year. Researchers and journalists reported previously that the ArcaneDoor campaign was conducted by government hackers based in China. 

Agencies were given just one day to apply the patches and CISA stressed that threat actors were exploiting the bugs with “alarming ease.” Cisco said in its report on the campaign that it worked with multiple government agencies in May 2025 to investigate attacks targeting the ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services.

The advisory released by CISA on Wednesday confirmed that hackers have continued to target the devices since its September directive.

“By following these best practices, organizations can better protect themselves from potential threats and ensure the integrity of their digital infrastructure,” said Nick Andersen, executive assistant director for the cybersecurity division  at CISA. “The release of this implementation guidance is a critical step in mitigating the risks posed by these vulnerabilities."