The Cybersecurity and Infrastructure Security Agency on Thursday ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
“This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.
At least 10 organizations worldwide have been breached, said one U.S. official, although that number could increase. The official said there were still “a lot of unknowns” about the campaign.
A second U.S. official called the campaign “very sophisticated” and described the hackers’ malware as highly complex.
“CISA is deeply concerned about this activity,” the second official said. “If agencies don’t get on this right away, it could be bad for them.”
A CISA spokesperson did not immediately comment on the impact of the federal hacks.
Cisco firewalls at risk
The three vulnerabilities — two critical (CVE-2025-20333 and CVE-2025-20363) and one medium-severity (CVE-2025-20362) — affect two families of Cisco firewalls: Adaptive Security Appliance devices and Firepower Threat Defense devices running the ASA software.
Government agencies first contacted Cisco in May to request help investigating the intrusions, the company said on Thursday. “Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques,” Cisco said, including tampering with a software program embedded in devices’ read-only memory “to allow for persistence across reboots and software upgrades.”
Cisco urged customers to upgrade their devices to new software versions that fix the flaws and wipe out the intruders’ footholds. It said it had evidence that the hackers had used two of the three vulnerabilities in the current campaign.
In its emergency directive, CISA highlighted the hackers’ worrisome ability to persist in read-only memory and said they had demonstrated that capability “at least as early as 2024.”
CISA gave agencies until the end of Friday to submit forensic images of vulnerable devices. After that, agencies must permanently disconnect Cisco ASA devices whose support ends on Sept. 30, update supported devices to new firmware by the end of Friday and report back to CISA before midnight on Oct. 3.
UK NCSC, CISA team up
The U.K. National Cyber Security Centre on Thursday also urged organizations to upgrade vulnerable devices and published an analysis of two pieces of malware used in the attacks.
CISA and the NCSC have “worked extremely closely” on the investigation, said the first U.S. official, who described the coordination as “the deepest technical collaboration I’ve ever seen with an international partner.” The U.S. learned about the intrusions “via industry and intelligence tips,” the official said, but NCSC employees had significant expertise with ArcaneDoor activity.
When Cisco first disclosed the ArcaneDoor campaign, it attributed the attacks to a threat actor that it dubbed UAT4356. “This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted,” the company said, “hallmarks of a sophisticated state-sponsored actor.”
The new campaign is consistent with the behavior of that threat actor, according to the first U.S. official.
In disclosing ArcaneDoor in 2024, Cisco said it had seen “dramatic and sustained increase” in efforts to penetrate its products installed at the perimeters of critical infrastructure networks in sectors such as energy and telecommunications.
“As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”