Full Report
Cisco said it was investigating state-sponsored espionage attacks in May. CISA did not explain why it waited four months to issue an emergency directive. The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.
Analysis Summary
# Incident Report: Widespread Exploitation of Cisco Firewall Zero-Days
## Executive Summary
Federal agencies were alerted to a widespread, ongoing cyber espionage campaign exploiting actively used zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) firewalls. The attacks, attributed to a state-sponsored threat group continuing activity seen earlier in the year (ArcaneDoor/Storm-1849), allowed attackers to implant malware, execute commands, and potentially exfiltrate data. CISA issued an Emergency Directive requiring immediate identification, reporting, and remediation of compromised devices.
## Incident Details
- Discovery Date: September 25, 2025 (Date CISA issued the directive, though Cisco began investigating in May 2025)
- Incident Date: Attacks active since at least May 2025.
- Affected Organization: US Federal Agencies (Primary; private sector urged to comply as well).
- Sector: Government/Federal
- Geography: United States focus, but global implications implied by prior activity.
## Timeline of Events
### Initial Access
- **Date/Time:** Potentially starting May 2025 or earlier.
- **Vector:** Exploitation of actively used zero-day vulnerabilities in Cisco ASA firewalls.
- **Details:** Exploitation involved chaining together **CVE-2025-20333** and **CVE-2025-20362**.
### Lateral Movement
- **Details:** The initial foothold on the firewall allowed attackers to "gain full control" of the device, leading to access to the victim's network.
### Data Exfiltration/Impact
- **Details:** Attackers were able to "potentially exfiltrate data from the compromised devices." The attack achieved remote-code execution and manipulation of read-only memory that persisted through reboots and upgrades.
### Detection & Response
- **How it was discovered:** Cisco began investigating the state-sponsored campaign in May 2025. CISA issued an Emergency Directive on September 25, 2025.
- **Response actions taken:** CISA required federal agencies to hunt for compromise evidence, report findings, and disconnect compromised devices by the end of the following Friday. Agencies must apply patches or disconnect EOL devices by the same deadline.
## Attack Methodology
- **Initial Access:** Exploitation of Cisco ASA zero-days (CVE-2025-20333 and CVE-2025-20362).
- **Persistence:** Achieved through techniques allowing the implant to survive reboots and system upgrades (manipulation of read-only memory).
- **Privilege Escalation:** Not explicitly detailed, but exploitation granted "full control of an affected device."
- **Defense Evasion:** Attackers employed advanced techniques including disabling logging, intercepting command-line interface commands, and intentionally crashing devices to hinder diagnostic analysis.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Implied movement into the victim's network after compromising the perimeter device.
- **Collection:** Data gathering for potential exfiltration.
- **Exfiltration:** Potential data theft from compromised devices.
- **Impact:** Remote Code Execution (RCE) and establishment of persistent backdoors on perimeter network devices.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Potential data exfiltration due to successful device compromise, though specific volume/type not detailed.
- **Operational:** Business risk requiring immediate mandatory hunt and remediation actions for federal agencies.
- **Reputational:** Significant, as it highlights long-term compromise affecting federal infrastructure before public disclosure.
## Indicators of Compromise
(Note: URLs and IPs are not provided in the summary context, therefore only behavioral IOCs can be listed.)
- **Network indicators:** (None provided in defanged format)
- **File indicators:** Implanted malware presence (details not provided).
- **Behavioral indicators:** Disabling of system logging; interception of CLI commands; intentional device crashes for forensic evasion; persistence mechanism targeting read-only memory.
## Response Actions
- **Containment measures:** Federal agencies required to disconnect compromised devices by the end of the specified Friday.
- **Eradication steps:** Agencies required to apply Cisco patches or permanently decommission end-of-life devices.
- **Recovery actions:** Mandatory hunting activity to identify evidence of compromise across agency environments.
## Lessons Learned
- **Key takeaways:** A sophisticated, state-sponsored group tied to the prior ArcaneDoor campaign remains active using highly advanced evasion techniques against critical perimeter infrastructure.
- **What could have been done better:** Cisco’s delayed disclosure (four months between investigation start and public patching/directive) significantly extended the period of risk for federal agencies. CISA’s delayed issuance of an Emergency Directive after Cisco's internal investigation merits review.
## Recommendations
- For all entities using affected Cisco devices: Immediately apply vendor patches or disconnect end-of-life devices.
- Implement robust logging mechanisms that are isolated from the operational system stack to prevent evasion via log manipulation.
- Enhance monitoring on perimeter devices for anomalous activity related to memory manipulation or system instability/crashes used for evasion.