The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in the United States issued an emergency directive on Thursday, September 25th, requiring all federal agencies to immediately inspect and patch critical vulnerabilities in Cisco equipment to prevent hackers from infiltrating government networks.
Affected products include certain models of the Cisco ASA 5500-X series and some Firepower versions. These border firewalls need to be online for extended periods, with many models nearing or exceeding their support period. Failure to timely install patches or upgrades could make them easy targets for attacks.
The two vulnerabilities highlighted by CISA are CVE-2025-20333 (which could lead to remote code execution) and CVE-2025-20362 (which could allow privilege escalation). The agency warned that these vulnerabilities pose “unacceptable risks” to U.S. government networks and must be patched immediately.
According to the directive, federal agencies are required to inventory all Cisco ASA and Firepower devices, conduct tests based on the technical process provided by CISA, and submit the results to the CISA platform. If an intrusion is confirmed, the related devices must be immediately disconnected from the network but should not be powered off directly to facilitate subsequent evidence gathering and eradication.
For older models that are out of support or nearing discontinuation, CISA mandates they be completely decommissioned by September 30th. Devices still under support must have Cisco’s latest updates installed by midnight Eastern Time on September 26th and ensure upgrades are completed within 48 hours of each subsequent release.
On the same day, Cisco published a blog post stating that the attacks on their equipment are “complex and highly sophisticated,” related to the network espionage program “ArcaneDoor” exposed in 2024. The operation was tracked by the cybersecurity company Censys and was alleged to be linked to Chinese state-sponsored hacker groups.
According to a report by Wired magazine in the United States in April of last year, dating back to late 2023, the operation primarily targeted government networks globally, seen as a nation-state hacker campaign. The report cited sources indicating potential connections between the operation and Chinese national interests.
Cisco urges customers to assess risks following official guidelines and take immediate protective measures, emphasizing that “timely updates and detection” are key to mitigating threats.
As per Verizon’s annual Data Breach Investigations Report released in May of this year, the proportion of vulnerability attacks on border devices like VPNs and routers rose from about 3% to 22% in 2024, indicating they have become a major target for hackers.
In recent years, the U.S. government and technology companies have repeatedly accused Chinese state-supported hacker organizations of launching targeted attacks, covering government agencies, defense contractors, as well as telecommunications, energy, and other crucial infrastructure.
In March of this year, the U.S. Department of Justice indicted 12 Chinese nationals for engaging in long-term cyber espionage activities, infiltrating and stealing data from U.S. government, technology companies, media, and foreign ministries, with some actions allegedly linked to the Chinese Ministry of Public Security or Ministry of State Security.
In July, U.S. prosecutors announced the arrest of Chinese hacker Xu Zewei, accusing him of participating in the “HAFNIUM” intrusion operation between 2020 and 2021, with links to an organization officially supported by the Chinese government.
(This article references reporting by Reuters)