CISA Issues Emergency Alert on Cisco Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-03, directing all Federal Civilian Executive Branch (FCEB) agencies to take immediate and comprehensive action to mitigate active exploitation of zero-day vulnerabilities affecting Cisco Adaptive Security Appliances (ASA).

These vulnerabilities, exploited by a sophisticated state-sponsored threat actor, allow attackers to maintain persistence across device reboots and upgrades, posing a critical threat to national cybersecurity infrastructure. The directive requires immediate identification, forensic analysis, and mitigation of affected devices—marking the second Emergency Directive issued under the Trump Administration.

“As the lead for federal cybersecurity, CISA is directing immediate action due to the alarming ease with which these vulnerabilities can be exploited to establish persistent access,” said CISA Acting Director Madhu Gottumukkala. “We strongly urge all organizations—public and private—to implement the measures outlined in this directive.”

Under Emergency Directive 25-03, federal agencies must:

·       Identify all in-scope Cisco ASA devices

·       Collect forensic data using tools provided by CISA

·       Assess signs of compromise following CISA guidance

·       Disconnect end-of-support devices

·       Upgrade supported devices by 11:59 PM EST on September 26, 2025

Federal Agencies Ordered to Mitigate Threat Amidst Global Cyber-Espionage Campaign. CISA will continue to monitor compliance, assist agencies with mitigation, and provide further resources as needed to ensure rapid and effective threat reduction.

ArcaneDoor: A Sophisticated Espionage Campaign

The vulnerabilities in question are being actively exploited by a state-sponsored group identified as UAT4356 (Microsoft: Storm-1849), associated with the espionage campaign known as ArcaneDoor. First observed in May 2025, the campaign is believed to have compromised multiple U.S. federal agencies and up to 2 million devices globally.

The attacks involve implanting malware, executing remote commands, and potentially exfiltrating sensitive data. These operations exploit flaws in Cisco ASA devices that lack modern security features such as Secure Boot and Trust Anchor technologies.

Affected Cisco ASA Devices

The following models have been successfully compromised and are particularly at risk:

Models that support Secure Boot and Trust Anchor technologies (and are not known to be compromised) include:

Though these models have not shown evidence of exploitation, they are nearing end-of-support and are included in the directive for precautionary reasons.

The ArcaneDoor campaign demonstrates a clear evolution of tactics from prior intrusions in 2023–2024, which used malware like Line Dancer and Line Runner. The latest wave includes:

·       RayInitiator – enables persistence and remote command execution

·       LINE VIPER – a modular backdoor enabling data exfiltration, lateral movement, and stealth

Attackers have also used advanced evasion techniques, such as:

·       Disabling system logging

·       Intercepting CLI commands

·       Triggering crashes to obstruct forensic analysis

Cisco has confirmed that the threat actor exploited multiple zero-day vulnerabilities to compromise ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services enabled.

A dedicated incident response team from Cisco collaborated with affected agencies, using instrumented images and packet capture analysis to trace and confirm memory corruption bugs responsible for the exploit.

Cisco’s forensic investigations also confirmed that the ROMMON bootloader was modified in some instances to maintain malware persistence even after system upgrades and restarts—a level of access made possible only on pre-Secure Boot hardware.

“The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said in its latest event response bulletin, version 2.0, released on September 26, 2025.

Importantly, Cisco has no evidence of compromise on platforms that support Secure Boot and Trust Anchors, including Firepower and Cisco Secure Firewall models running on newer architectures.

Cisco urges all customers to:

·       Review and implement Cisco’s mitigation guidance

·       Perform forensic assessments where compromise is suspected

·       Open a Cisco TAC case for detailed support and analysis

For technical details on detection and response, refer to the official Cisco document:
Detection Guide for Continued Attacks Against Cisco Firewalls by the Threat Actor Behind ArcaneDoor

About CISA: The Cybersecurity and Infrastructure Security Agency (CISA) is the U.S. government’s lead agency for national cyber defense and infrastructure security. CISA works with public and private partners to identify, manage, and reduce cybersecurity risks affecting the nation’s critical digital and physical infrastructure.