Despite repeated warnings from Cisco and multiple cybersecurity agencies, an estimated 48,000 Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices remain exposed to active exploitation. Most are located in the U.S., followed by the U.K., Japan, Russia, Germany, and Canada, according to data from the Shadowserver Foundation, which continues to scan for vulnerable devices daily.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning and Emergency Directive 25-03 on September 26, 2025, citing evidence that an advanced threat actor is exploiting zero-day vulnerabilities in Cisco ASA appliances. The directive urges federal agencies—and strongly advises private organizations—to identify affected devices, collect forensic data, and update to secure releases immediately.
Background: Attacks Began Months Before Public Disclosure
In May 2025, Cisco was enlisted by government cybersecurity agencies to investigate targeted attacks against networks using Cisco ASA 5500-X Series devices.
Cisco confirmed that attackers had exploited multiple zero-day vulnerabilities, using advanced evasion tactics such as disabling logging, intercepting CLI commands, and intentionally crashing devices to obstruct forensic analysis. The methods and malware observed matched those seen in the ArcaneDoor campaign, believed to involve a state-sponsored threat actor.
Weeks before the public disclosure, researchers at GreyNoise observed a surge in scanning activity targeting Cisco ASA login portals, Telnet/SSH services, and ASA software components—an early sign that attackers were actively hunting for exploitable systems. It remains unclear whether the same actor was responsible for those scans.
Federal Emergency Directive Details
CISA’s Emergency Directive 25-03 requires all Federal Civilian Executive Branch agencies to:
- Identify all in-scope devices and collect forensic data.
- Assess systems for compromise using CISA-provided tools.
- Disconnect unsupported devices.
- Upgrade remaining systems by 11:59 PM EST, September 26, 2025.
“Due to the alarming ease with which attackers can exploit these vulnerabilities and persist in networks, we’re directing immediate action,” said CISA Acting Director Madhu Gottumukkala. “The same risks apply to any organization using these devices.”
Ongoing Exploitation and Suspected State Actor
Officials have not publicly named the perpetrators, but researchers at Palo Alto Networks’ Unit 42 believe the hackers are state-backed and based in China.
“Now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly move to exploit these vulnerabilities,” warned Sam Rubin, Senior Vice President at Unit 42.
Cisco said it uncovered three additional vulnerabilities during its May investigation with federal partners. The company is urging all customers to update immediately, replace end-of-support hardware, and reset passwords, certificates, and keys following upgrades.
The U.K. government has also issued a related alert, calling the malware used in the attacks a “significant evolution” of previous tools.
A Broader Cyber Threat Landscape
This campaign adds to a string of recent cyber incidents attributed to suspected Chinese actors, including breaches of U.S. software developers and law firms. Experts warn that recovery and remediation could take months as organizations work to identify compromised systems.
