Chinese hackers scanning, exploiting Cisco ASA firewalls used by governments worldwide

Steven

Chinese hackers scanning, exploiting Cisco ASA firewalls used by governments worldwide

Summary

China-based threat actors — tracked by Palo Alto Networks Unit 42 as Storm-1849 (aka UAT4356) — have been actively scanning for and exploiting vulnerabilities in Cisco Adaptive Security Appliance (ASA) devices used by governments, financial institutions and defence organisations across the globe.

Unit 42 observed continued exploitation attempts during October 2025, targeting federal, state and local government IPs in the U.S. and numerous other countries. The campaign leverages two disclosed Cisco vulnerabilities (CVE-2025-30333 and CVE-2025-20362), often chained to gain initial access and then implant persistence that survives reboots and upgrades.

Key Points

  • Unit 42 attributes the targeting to Storm-1849, a China-based group also monitored by Cisco since 2024.
  • Active scanning and exploitation observed across U.S. federal, state and local agencies and in countries including India, Japan, UK, France, Australia and others.
  • Unit 42 recorded scanning of 12 U.S. federal IP addresses and 11 state/local government IPs in October.
  • CISA issued an emergency directive forcing federal civilian agencies to patch CVE-2025-30333 and CVE-2025-20362 within one day due to rapid exploitation.
  • Attackers are chaining the two CVEs to achieve access and persistency; activity continued despite advisories and patching orders.
  • CISA and Cisco have not formally attributed the 2025 campaign to China, though research (including Censys analysis) indicates possible links to China-based infrastructure used in prior campaigns.
  • There was a noted lull in activity from 1–8 October, likely tied to China’s Golden Week, but operations resumed thereafter.

Content summary

Palo Alto Networks’ Unit 42 traced a global campaign targeting Cisco ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services. The attackers exploit two specific webvpn-related vulnerabilities, chain them to escalate control, and modify devices to retain access across system restarts and upgrades. CISA responded with an emergency patch directive to federal civilian agencies after noting the bugs were being exploited “with alarming ease.” Despite public advisories from CISA and Cisco, the targeting continued through October.

Context and relevance

This matters because Cisco ASA appliances are widely used as edge defence by governments and large organisations; compromise of those appliances can grant extensive network access, data exfiltration paths and long-term footholds. The speed and scale of the campaign — plus CISA’s unusually strict one-day patch order — show the risk is both immediate and serious for public-sector and critical infrastructure networks. The incident also illustrates how newer threat clusters (like Storm-1849) can rapidly escalate and operate globally alongside better-known groups.

Why should I read this?

Short version: attackers are picking on government firewalls worldwide and already have easy-to-exploit bugs. If you manage networks, security or policy for any public-sector or critical infra organisation, this is the kind of thing that keeps you up at night — patching and monitoring need to be prioritised now. We read it, so you don’t have to sift through all the tech detail — just act.

Source

Source: https://therecord.media/chinese-hackers-scan-exploit-firewalls-government