Network Firewalls, Network Access Control,
Security Operations
CISA Issues Emergency Directive Following Ongoing Exploits of Cisco Devices
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding an ongoing cyberattack campaign that targets Cisco firewalls, exploiting zero-day vulnerabilities that remain active even after system reboots and upgrades. This breach, referred to as “Arcane Door,” has prompted urgent actions from federal agencies.
In a recent emergency directive, CISA mandated that federal agencies disconnect unsupported Cisco devices and perform thorough assessments for potential compromises. This directive comes on the heels of identified vulnerabilities that have reportedly been weaponized by cyber adversaries.
Cisco has previously issued multiple patches for its technology, including critical updates in April 2024, after confirming that attackers had successfully infiltrated its adaptive security appliances and Firepower Threat Defense software. The vulnerabilities have raised significant concerns about the integrity of sensitive data across various sectors.
Chris Butera, acting executive assistant director of CISA’s cybersecurity division, indicated that the scope of this attack may involve hundreds of devices within the federal government alone. While CISA has not publicly named any specific nation-state actors involved, the agency is actively collaborating with Cisco to analyze the full extent of the vulnerabilities and potential compromises.
The campaign is expected to affect vital infrastructure sectors, prompting officials to advise operators to conduct immediate security assessments and report their findings back to CISA. By September 26, all federal civilian executive branch agencies are required to disconnect affected devices and upgrade those that will remain operational.
Though the emergency directive specifically targets federal agencies, CISA Acting Director Madhu Gottumukkala strongly recommends that all organizations adopt these outlined mitigation actions, emphasizing the widespread nature of the risks posed by the vulnerabilities.
The exploitation involves at least two zero-day vulnerabilities. One allows for remote code execution while the other facilitates privilege escalation. Following the disconnection or update of vulnerable systems, agencies are also instructed to catalog all impacted devices and gather forensic data by October 2.
In analyzing the attack vector, it is likely that initial access tactics were employed, followed by persistence techniques to maintain footholds within compromised systems. The situation underscores an urgent need for businesses to reassess their cybersecurity posture to defend against similar vulnerabilities.
