Cybersecurity agencies warn China-linked hackers are targeting Cisco firewalls - SDxCentral

Cybersecurity agencies warn China-linked hackers are targeting Cisco firewalls Resurgent hacker group believed to be behind 'widespread' espionage campaign September 29, 2025 By Ben Wodecki Have your say – Getty Images Cisco is under fire from U.S. and U.K. cybersecurity agencies over a “significant risk” discovered in devices running the vendor’s Adaptive Security Appliances (ASA) firewall software. Emergency directives published late last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cybersecurity Center (NCSC) contend a “advanced threat actor” is actively targeting Cisco’s threat management software. According to the agencies, the “widespread” campaign involves exploiting zero-day vulnerabilities to give threat actors access to Cisco’s devices, enabling them to execute malicious code and malware. Cisco analysis suggests the origin of the attacks could be ArcaneDoor, a state-sponsored threat actor the vendor first identified in 2024. ArcaneDoor specifically targets devices running ASA or Cisco’s Firepower Threat Defense (FTD) software to implant malware and exfiltrate data from compromised devices. In a statement, Cisco analysts expressed “high confidence” that the CISA- and NCSC-identified campaign is the same threat actor from the ArcaneDoor attack campaigns. While the vulnerable software is supported across hardware platforms with different underlying architectures, including FTD, Cisco said it had seen “no evidence” that these platforms have been successfully compromised. Following the agency warnings, Cisco released patches for the flaws last week. The original ArcaneDoor attacks targeted ASA devices with virtual private network (VPN) web services enabled. A vulnerability caused by incomplete error checking during HTTP header parsing allowed attackers to send crafted HTTP requests to a targeted web server on a device, causing a denial-of-service (DoS) condition when the device reloads. No nation was explicitly pinned as the perpetrator behind ArcandeDoor, but analysts at Cisco Talos said the attackers “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted.” However, several months following the 2024 attacks, Cisco analysts traced them to a Chinese-linked group tracked as UAT4356 (or Storm-1849 by the Microsoft Threat Intelligence Center). The potential resurgence of ArcaneDoor was one of two threats impacting Cisco devices last week. The he vendor also urged network admins to immediately patch a critical vulnerability in its IOS and IOS XE software. Tracked as CVE-2025-20352, the vulnerability in the Simple Network Management Protocol (SNMP) subsystems could allow attackers to compromise network devices or crash them entirely. More in The Cybersecurity Channel Edge opportunities & cybersecurity risks 30 Jan 2026 Palo Alto Networks completes Chronosphere coup Episode The automation trap: Why AI alone can't fix network operations Tags ASA Adaptive Security Appliances ArcaneDoor CISA Cisco Cybersecurity Cybersecurity and Infrastructure Security Agency Hackers NCSC National Cyber Security Centre National Cyber Security Centre (NCSC) Security Software espionage firewall firewalls Comments