Hackers compromised firewall devices within the U.S. government, according to a senior federal official, amid broader warnings of cyberattacks on widely-used devices manufactured by Cisco Systems, Inc.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, issued an emergency directive Thursday requiring federal agencies to address vulnerabilities and identify and mitigate potential breaches in hundreds of Cisco firewall devices active in the U.S. government. Cisco said in a security alert that the company was engaged in May 2025 with “multiple government agencies” to investigate attacks on the firewall devices.
Such access enables intruders to take full control of a firewall, then disable security protections and access internal systems, deploy malware and collect sensitive data, according to the cyber firm BitSight Technologies Inc.
“The threat is widespread,” said Chris Butera, acting deputy executive assistant director for CISA’s cybersecurity division. Emergency directives apply only to federal civilian networks, but Butera urged other government agencies and private companies to follow the guidance. Neither CISA nor Cisco identified victims, and the scope and severity of the breaches weren’t immediately clear.
The hackers pose an especially significant risk because they’re exploiting vulnerabilities that persist through reboots and system upgrades, Butera said. The CISA directive gave federal agencies until the end of Friday to hunt for evidence of compromised devices and submit the data to the agency.
The U.K.’s National Cyber Security Centre also issued an alert, saying the attackers had exploited the flaws to implant malicious code, execute computer commands and potentially steal data.
The hackers, dubbed ArcaneDoor by Cisco, have been conducting running cyber-espionage campaigns since 2024. A CISA investigation confirmed that devices in the government were breached, Butera said.
The agency believes the attacks affect critical infrastructure in the U.S., he said, but declined to name specific victims.
The cybersecurity firm Palo Alto Networks Inc. has been tracking the hackers internationally since last year and has seen the group change their methods and in recent months shift their focus toward entities in the U.S., said Sam Rubin, senior vice president of the company’s Unit 42 threat intelligence and incident response team.
Rubin warned that in addition to the recently exposed espionage campaign, they “expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”
Top photo: The Cisco Systems Inc. pavilion ahead of the World Economic Forum (WEF) in Davos, Switzerland, on Jan. 20, 2025. Photographer: Stefan Wermuth/Bloomberg.
Copyright 2025 Bloomberg.
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.