Federal agencies in the United States and the United Kingdom are rushing to contain a wave of cyberattacks after researchers uncovered previously unknown flaws in widely used Cisco firewall devices.
Officials said Thursday the vulnerabilities are already being exploited in a sophisticated espionage campaign tied to suspected Chinese state-backed hackers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive, giving federal agencies until Friday night to identify and secure all Cisco Adaptive Security Appliance (ASA) devices. Agencies that discover compromised equipment must disconnect it immediately while preserving evidence for forensics.
In parallel, the United Kingdom’s National Cyber Security Centre (NCSC), part of GCHQ, urged organizations to urgently investigate their networks. It released new malware analysis and detection tools to help defenders root out intrusions.
“This is not just a typical vulnerability disclosure,” said Ollie Whitehouse, the NCSC’s chief technology officer. “We’re dealing with a highly sophisticated actor who has demonstrated capability to persistently target network infrastructure devices.”
Exploiting Zero-Days
Cisco confirmed that attackers had chained together several zero-day vulnerabilities—now tracked as CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363—to gain complete control of affected systems. The flaws impact Cisco ASA software releases 9.12 through 9.23 and certain Firepower Threat Defense (FTD) versions.
The company said the hackers implanted two new strains of malware, dubbed RayInitiator and LINE VIPER, which allow remote command execution, data theft, and persistence even after reboots or software upgrades. Researchers said the tools represent an evolution from earlier malware families LINE DANCER and LINE RUNNER, uncovered last year.
Targets and Risks
The affected Cisco ASA 5500-X Series devices are used as firewalls in enterprise and government networks around the world. Security officials warned that attackers who compromise such equipment can intercept or manipulate all traffic flowing through it, granting them a powerful foothold inside sensitive systems.
“This widespread campaign poses a significant risk to victims’ networks,” CISA said in its directive. The agency instructed departments to run forensic scans, report findings by next week, and disconnect outdated hardware that is approaching end-of-support deadlines.
Cisco has advised customers to upgrade to patched software, disable web-based VPN services where necessary, and replace unsupported hardware. Several ASA models, including the 5525-X, 5545-X and 5555-X, are due to lose support in September 2025.
ArcaneDoor Connection
The campaign is linked to “ArcaneDoor,” a cyberespionage operation exposed in 2024 that security researchers attributed to China-based operators. Independent experts, including analysts at Palo Alto Networks, said the new activity shows the group has grown more capable and is increasingly focused on U.S. targets.
Beijing has consistently denied involvement in state-sponsored hacking. The Chinese Embassy in Washington did not immediately respond to a request for comment.
International Response
Canada’s cyber defense agency and Australia’s Signals Directorate also published advisories warning that Cisco devices were under active attack.
Chris Butera, acting deputy executive assistant director at CISA, said the scope of the operation was broad. “The threat campaign is widespread. We strongly urge both government and private organizations to adopt the measures we’ve outlined.”
Growing Pressure on Edge Devices
Experts said the incident highlights a broader vulnerability in global infrastructure: aging edge devices that sit exposed to the internet and often lag in software updates. A recent Verizon Data Breach Report found that exploitation of such systems surged last year.
“This campaign shows the urgency of patching, replacing end-of-life technology, and adopting zero-trust security models,” said Charles Carmakal, chief technology officer at Google’s Mandiant division.
As agencies race to comply with CISA’s directive, officials warned that the disclosure itself could spur copycat attacks by other hackers now aware of the vulnerabilities.
Discover more from NJTODAY.NET
Subscribe to get the latest posts sent to your email.