Exploitation of Cisco ASA Firewall Vulnerabilities Leading to Federal Agency Breach and Senate Scrutiny
US Senator Bill Cassidy has demanded answers from Cisco regarding critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, specifically CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by threat actors. The senator's letter to Cisco CEO Chuck Robbins follows reports that at least one federal agency was breached as a direct result of these flaws, though Cisco has not publicly confirmed the breach. The vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring all federal civilian agencies to identify affected devices, review logs for signs of compromise, and apply Cisco's patches within 24 hours. Devices that had reached end of support were ordered to be removed from service entirely. Cisco acknowledged that exploitation of these vulnerabilities had been ongoing since at least May, when government incident responders involved Cisco in investigations of compromised ASA 5500-X firewalls. Attackers were observed deploying implants, executing commands, and exfiltrating data from affected systems well before the vulnerabilities were publicly disclosed. The exploitation campaign, known as ArcaneDoor, was attributed by Cisco to a Chinese-linked threat group identified as UAT4356, which has targeted government systems globally since November 2023. Senator Cassidy's letter raises concerns about Cisco's transparency regarding the impact of these vulnerabilities on both government and private sector customers. He questioned whether Cisco has identified specific threats to its customers, how it communicates security issues, and whether CISA's guidance to federal agencies is also being provided to private organizations. The senator emphasized the critical role Cisco plays in national infrastructure, noting that vulnerabilities in its products could jeopardize access to essential services for millions of Americans. Cisco has not responded to media requests for comment on the senator's inquiries or the reported breach. The emergency directive from CISA underscores the severity of the risk, highlighting the widespread use of ASA appliances in both government and large enterprise environments. The incident has drawn attention to the need for rapid patching and clear communication from vendors when critical vulnerabilities are discovered. Security agencies in both the US and UK have issued urgent advisories, warning of active exploitation and the necessity for immediate remediation. The ongoing investigation seeks to determine the full scope of the compromise and whether additional agencies or organizations have been affected. The situation has reignited debate over the security of widely deployed network infrastructure and the responsibilities of vendors in managing and disclosing vulnerabilities. The case also illustrates the persistent threat posed by sophisticated state-linked actors targeting critical government systems. As the response continues, both public and private sector organizations are urged to review their exposure and ensure all relevant patches are applied without delay.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Sen. Bill Cassidy demands answers from Cisco on flaw impacts
U.S. Senator Bill Cassidy sent a letter to Cisco CEO Chuck Robbins seeking details on the business and government impact of the severe firewall vulnerabilities, Cisco's customer communications, and its response actions. He set an October 27 deadline for Cisco to answer his questions.
CISA orders emergency mitigation for Cisco firewall flaws
After the vulnerabilities came to light, CISA issued an emergency directive requiring federal agencies to rapidly patch affected Cisco devices and remove unsupported systems. The directive reflected concern that the flaws were being actively exploited.
Attackers exploit Cisco ASA and FTD flaws in the wild
Cisco acknowledged that CVE-2025-20333 and CVE-2025-20362 had been exploited since at least May 2024 against Adaptive Security Appliance and Firepower Threat Defense devices. The exploitation allegedly enabled breaches including at least one U.S. federal agency.
ArcaneDoor campaign begins targeting perimeter network devices
Cisco said the ArcaneDoor espionage campaign began targeting perimeter network devices globally in November 2023. The activity was later linked to the Chinese-affiliated group UAT4356.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Senator presses Cisco over firewall flaws that burned US agency
go.theregister.com
Open sourceCisco urged to clarify cybersecurity flaws’ business impact
scworld.com
Open sourceCisco must share more information about effects of severe bugs on businesses, senator says
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco ASA Zero-Days in ArcaneDoor Trigger U.S. Government Scrutiny
Cisco is facing U.S. government scrutiny after critical zero-day flaws in **ASA** and **Firepower Threat Defense** devices were tied to the **ArcaneDoor** espionage campaign and deemed an unacceptable risk to federal networks. CISA and the U.K. National Cyber Security Centre linked the activity to `CVE-2025-20333` and `CVE-2025-20362`, while earlier federal action had already added related Cisco flaws `CVE-2024-20353` and `CVE-2024-20359` to the Known Exploited Vulnerabilities catalog after active exploitation. Cisco said the campaign targeted a small set of customers, using the **Line Runner** and **Line Dancer** backdoors for reconnaissance, configuration changes, traffic capture, exfiltration, and possible lateral movement; external reporting and infrastructure analysis pointed to a likely China-aligned espionage actor, and internet scans suggested tens of thousands of Cisco firewall devices were exposed. The incident has drawn political attention in Washington, with Sen. Bill Cassidy seeking answers from Cisco on customer impact, breach notifications, and communications with federal agencies after reports that at least one federal agency may have been compromised. The response echoes earlier federal emergency actions over perimeter-device exploitation, including the 2021 campaign in which suspected Chinese hackers used **Pulse Secure** VPN vulnerabilities to breach multiple U.S. agencies, critical infrastructure entities, and private-sector organizations, deploying webshells and bypassing passwords and multifactor authentication. Together, the cases underscore continuing risk from internet-facing security appliances that can provide long-term access for state-backed espionage when zero-days remain unpatched.
May 25, 2026
Federal Agencies Face Ongoing Risk from Unpatched Cisco ASA and Firepower Vulnerabilities
CISA has issued updated implementation guidance for Emergency Directive 25-03, highlighting that federal agencies are not fully patching critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. Despite previous directives, CISA identified that some agencies reported devices as patched when, in fact, they were still running vulnerable software versions. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, continue to be actively exploited by advanced threat actors, prompting CISA to urge immediate corrective action and recommend the use of tools like RayDetect to check for evidence of compromise. The ongoing exploitation campaign has targeted federal civilian agencies since September, with CISA warning that incomplete patching leaves organizations exposed to significant risk. Agencies are directed to verify software versions, apply the minimum required updates, and follow additional mitigation steps if updates were applied after September 26, 2025. CISA has not confirmed whether any agencies have been breached but emphasizes the need for strict compliance to prevent further compromise. All organizations using Cisco ASA and Firepower devices are strongly encouraged to review and implement the latest guidance to mitigate ongoing threats.
Mar 21, 2026
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026