US Government Hacked: Cisco Firewall Devices Compromised in Widespread Breach

Hackers have breached firewall devices in the US federal government, compromising Cisco Systems Inc. devices. CISA issued an emergency directive requiring federal agencies to address vulnerabilities and mitigate potential breaches. The hackers, dubbed ArcaneDoor, have been seen running cyber-espionage campaigns since 2024 and have shifted their focus toward entities in the US. The agency believes the attacks impact critical infrastructure in the US, but declined to name specific victims.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, ordering U.S. federal agencies to patch multiple vulnerabilities in Cisco networking products. The directive, issued on Thursday, aims to mitigate a significant cybersecurity risk posed by an ongoing campaign that has compromised multiple federal agencies and businesses. The campaign, dubbed "ArcaneDoor," is believed to be orchestrated by a sophisticated threat actor, with at least 10 organizations worldwide affected CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

The directive mandates that federal agencies identify, analyze, and patch vulnerable devices by the end of Friday. It also requires agencies to submit forensic images of vulnerable devices and permanently disconnect unsupported Cisco ASA devices by the end of Friday. Agencies must update supported devices to new firmware and report back to CISA by midnight on October 3 CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

The vulnerabilities affect two families of Cisco firewalls: Adaptive Security Appliance devices and Firepower Threat Defense devices running the ASA software. Cisco has identified three vulnerabilities, two of which are critical (CVE-2025-20333 and CVE-2025-20363) and one medium-severity (CVE-2025-20362) CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

The U.S. government first contacted Cisco in May to request help investigating the intrusions. Cisco reported that attackers exploited multiple zero-day vulnerabilities and employed advanced evasion techniques, including tampering with software programs embedded in devices' read-only memory to allow persistence across reboots and software upgrades CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

CISA and the U.K. National Cyber Security Centre (NCSC) have worked closely on the investigation, with the U.S. learning about the intrusions through industry and intelligence tips. The NCSC has also published an analysis of two pieces of malware used in the attacks CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

The ArcaneDoor campaign is consistent with the behavior of a threat actor dubbed UAT4356, which Cisco first disclosed in April 2024. The campaign's focus on espionage and deep knowledge of targeted devices suggests a state-sponsored actor. Cisco has seen a dramatic increase in efforts to penetrate its products installed at the perimeters of critical infrastructure networks, particularly in sectors such as energy and telecommunications CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].

CISA's emergency directive underscores the importance of routine and prompt patching of critical devices, using up-to-date hardware and software versions, and closely monitoring network communications. Failure to address these vulnerabilities could lead to further breaches and potential damage to critical infrastructure CISA orders feds to patch Cisco flaws used to hack multiple agencies^[1].