Cisco ASA Zero-Days in ArcaneDoor Trigger U.S. Government Scrutiny
Cisco is facing U.S. government scrutiny after critical zero-day flaws in ASA and Firepower Threat Defense devices were tied to the ArcaneDoor espionage campaign and deemed an unacceptable risk to federal networks. CISA and the U.K. National Cyber Security Centre linked the activity to CVE-2025-20333 and CVE-2025-20362, while earlier federal action had already added related Cisco flaws CVE-2024-20353 and CVE-2024-20359 to the Known Exploited Vulnerabilities catalog after active exploitation. Cisco said the campaign targeted a small set of customers, using the Line Runner and Line Dancer backdoors for reconnaissance, configuration changes, traffic capture, exfiltration, and possible lateral movement; external reporting and infrastructure analysis pointed to a likely China-aligned espionage actor, and internet scans suggested tens of thousands of Cisco firewall devices were exposed.
The incident has drawn political attention in Washington, with Sen. Bill Cassidy seeking answers from Cisco on customer impact, breach notifications, and communications with federal agencies after reports that at least one federal agency may have been compromised. The response echoes earlier federal emergency actions over perimeter-device exploitation, including the 2021 campaign in which suspected Chinese hackers used Pulse Secure VPN vulnerabilities to breach multiple U.S. agencies, critical infrastructure entities, and private-sector organizations, deploying webshells and bypassing passwords and multifactor authentication. Together, the cases underscore continuing risk from internet-facing security appliances that can provide long-term access for state-backed espionage when zero-days remain unpatched.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Sen. Cassidy seeks answers from Cisco over firewall flaws
On or before 2026-05-12, Senator Bill Cassidy sent a letter to Cisco CEO Chuck Robbins requesting details on customer impact, breach notifications, and Cisco's communications with federal agencies regarding the exploited firewall vulnerabilities. The letter reflected growing U.S. government scrutiny of Cisco's handling of the issue.
Reports indicate possible federal compromise in ArcaneDoor
By 2026-05-12, reports indicated that at least one U.S. federal agency may have been compromised in connection with the ArcaneDoor campaign exploiting Cisco firewall vulnerabilities. The development escalated concern over the impact on government networks.
CISA says Cisco zero-days pose unacceptable federal risk
By 2026-05-12, CISA had warned that critical zero-day vulnerabilities in Cisco ASA and Firepower Threat Defense devices, identified as CVE-2025-20333 and CVE-2025-20362, posed an unacceptable risk to federal systems. CISA and the U.K. National Cyber Security Centre linked the flaws to the ArcaneDoor campaign.
Cisco publicly links ASA/FTD exploitation to ArcaneDoor
By 2024-04-24, Cisco had disclosed that the two ASA and Firepower Threat Defense vulnerabilities were being exploited in the ArcaneDoor espionage campaign, tracked by multiple vendors under different names. Cisco said the attackers deployed the Line Runner and Line Dancer backdoors against a small number of customers.
CISA adds Cisco and CrushFTP flaws to KEV catalog
On 2024-04-24, CISA added Cisco ASA/FTD flaws CVE-2024-20353 and CVE-2024-20359 and CrushFTP flaw CVE-2024-4040 to its Known Exploited Vulnerabilities catalog. The agency ordered U.S. federal civilian agencies to patch them by May 1 due to active exploitation.
ArcaneDoor espionage campaign targets Cisco devices
Attackers exploited Cisco ASA and Firepower Threat Defense vulnerabilities CVE-2024-20353 and CVE-2024-20359 in a state-sponsored espionage campaign against a small set of customers. Cisco said the main malicious activity occurred between December 2023 and early January 2024 and involved reconnaissance, configuration changes, traffic capture, exfiltration, and possible lateral movement.
CISA orders federal agencies to mitigate Pulse Secure risk
On 2021-04-20, CISA issued an alert and emergency directive requiring federal civilian agencies to identify affected Pulse Secure products, run integrity checks, apply mitigations and updates, and report results by April 23. Ivanti said a patch for the newly discovered flaw was expected in early May.
U.S. discloses broad Pulse Secure compromises
On 2021-04-20, U.S. authorities disclosed that multiple federal agencies, critical infrastructure entities, and private organizations had been breached through Pulse Secure vulnerabilities. FireEye Mandiant said suspected China-linked actors were involved, though attribution remained preliminary.
Attackers begin exploiting Pulse Secure VPN flaws
Threat actors began exploiting vulnerabilities in Pulse Connect Secure appliances by June 2020 or earlier, with some reporting indicating activity as early as August 2020. The intrusions enabled deployment of webshells and theft of credentials and other sensitive data from government and private-sector targets.
Cisco ArcaneDoor testing activity starts
Cisco said the espionage campaign later tracked as ArcaneDoor showed testing activity against ASA and Firepower Threat Defense devices beginning in July 2023. This preceded the main operational phase of the campaign.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Cisco faces heat from U.S. government in bad week for cybersecurity - SDxCentral
sdxcentral.com
Open sourceCISA: Cisco and CrushFTP vulnerabilities are being actively exploited | The Record from Recorded Future News
therecord.media
Open sourceMultiple agencies breached by hackers using Pulse Secure vulnerabilities
thehill.com
Open sourcePulse Secure: Suspected Chinese hackers exploited VPN to compromise ‘dozens’ of agencies and companies in US and Europe | CNN Politics
cnn.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of Cisco ASA Firewall Vulnerabilities Leading to Federal Agency Breach and Senate Scrutiny
US Senator Bill Cassidy has demanded answers from Cisco regarding critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, specifically CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by threat actors. The senator's letter to Cisco CEO Chuck Robbins follows reports that at least one federal agency was breached as a direct result of these flaws, though Cisco has not publicly confirmed the breach. The vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring all federal civilian agencies to identify affected devices, review logs for signs of compromise, and apply Cisco's patches within 24 hours. Devices that had reached end of support were ordered to be removed from service entirely. Cisco acknowledged that exploitation of these vulnerabilities had been ongoing since at least May, when government incident responders involved Cisco in investigations of compromised ASA 5500-X firewalls. Attackers were observed deploying implants, executing commands, and exfiltrating data from affected systems well before the vulnerabilities were publicly disclosed. The exploitation campaign, known as ArcaneDoor, was attributed by Cisco to a Chinese-linked threat group identified as UAT4356, which has targeted government systems globally since November 2023. Senator Cassidy's letter raises concerns about Cisco's transparency regarding the impact of these vulnerabilities on both government and private sector customers. He questioned whether Cisco has identified specific threats to its customers, how it communicates security issues, and whether CISA's guidance to federal agencies is also being provided to private organizations. The senator emphasized the critical role Cisco plays in national infrastructure, noting that vulnerabilities in its products could jeopardize access to essential services for millions of Americans. Cisco has not responded to media requests for comment on the senator's inquiries or the reported breach. The emergency directive from CISA underscores the severity of the risk, highlighting the widespread use of ASA appliances in both government and large enterprise environments. The incident has drawn attention to the need for rapid patching and clear communication from vendors when critical vulnerabilities are discovered. Security agencies in both the US and UK have issued urgent advisories, warning of active exploitation and the necessity for immediate remediation. The ongoing investigation seeks to determine the full scope of the compromise and whether additional agencies or organizations have been affected. The situation has reignited debate over the security of widely deployed network infrastructure and the responsibilities of vendors in managing and disclosing vulnerabilities. The case also illustrates the persistent threat posed by sophisticated state-linked actors targeting critical government systems. As the response continues, both public and private sector organizations are urged to review their exposure and ensure all relevant patches are applied without delay.
Mar 21, 2026
CISA warns Cisco firewall backdoor survives patching after federal agency breach
CISA disclosed that an unnamed U.S. federal civilian agency was breached through Cisco firewall vulnerabilities `CVE-2025-20333` and `CVE-2025-20362`, and investigators later found the **FIRESTARTER** backdoor and **Line Viper** malware on the affected devices. Authorities said the attackers, linked by Cisco Talos and allied agencies to **UAT-4356** and the earlier **ArcaneDoor** activity, maintained persistence on Cisco ASA and Firepower/FTD systems even after patches were applied, regained access months later without re-exploiting the original flaws, and used crafted VPN authentication-related requests to execute code and enable unauthorized VPN sessions that bypassed authentication controls. CISA, the U.K. National Cyber Security Centre, and other partners warned that patching alone may not evict the threat because FIRESTARTER can survive standard reboots and, in some cases, firmware updates if the device was compromised before remediation. The updated federal directive requires agencies to audit Cisco firewall infrastructure and submit memory snapshots, while Cisco and CISA urged stronger recovery steps such as hard reboots and reimaging where compromise is suspected. The disclosure came alongside a broader allied advisory that China-linked groups including **Volt Typhoon** and **Flax Typhoon** are increasingly using large covert proxy networks built from compromised SOHO routers and IoT devices—such as the **Raptor Train** and **KV Botnet** infrastructure—to hide intrusions, support espionage, and blunt traditional IP-based blocking defenses.
Apr 24, 2026
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
Mar 21, 2026