Hackers compromised firewall devices within the US government, according to a senior federal official, amid broader warnings of cyberattacks on widely-used devices manufactured by Cisco Systems, Inc.
The US Cybersecurity and Infrastructure Security Agency, or CISA, an emergency directive on Sept. 25 requiring federal agencies to address vulnerabilities and identify and mitigate potential breaches in hundreds of Cisco firewall devices active in the US government. Cisco said in a that the company was engaged in May 2025 with “multiple government agencies” to investigate attacks on the firewall devices.
Such to take full control of a firewall, then disable security protections and access internal systems, deploy malware and collect sensitive data, according to the cyber firm BitSight Technologies Inc.
“The threat is widespread,” said Chris Butera, acting deputy executive assistant director for CISA’s cybersecurity division. Emergency directives apply only to federal civilian networks, but Butera urged other government agencies and private companies to follow the guidance. Neither CISA nor Cisco identified victims, and the scope and severity of the breaches weren’t immediately clear.
The hackers pose an especially significant risk because they’re exploiting vulnerabilities that persist through reboots and system upgrades, Butera said. The CISA directive gave federal agencies until the end of Friday to hunt for evidence of compromised devices and submit the data to the agency.
The UK’s National Cyber Security Centre also issued an alert, saying the attackers had exploited the flaws to implant malicious code, execute computer commands and potentially steal data.
The hackers, dubbed ArcaneDoor by Cisco, have been conducting running cyber-espionage campaigns ince 2024. A CISA investigation confirmed that devices in the government were breached, Butera said.
The agency believes the attacks affect critical infrastructure in the US, he said, but declined to name specific victims.
The cybersecurity firm Palo Alto Networks Inc. has been tracking the hackers internationally since last year and has seen the group change their methods and in recent months shift their focus toward entities in the US, said Sam Rubin, senior vice president of the company’s Unit 42 threat intelligence and incident response team.
Rubin warned that in addition to the recently exposed espionage campaign, they “expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”
Photo: Photographer: Angel Garcia/Bloomberg
Was this article valuable?
Here are more articles you may enjoy.
Hackers Hit Hundreds of Cisco Firewalls in US Government 
Atlantic Hurricane Season Awakens After Sleepy Start 
Starbucks Workers Sue Over Company’s New Dress Code 
AM Best: Commercial Auto Liability Drags Down Segment and it Could Get Worse 
