Federal agencies not fully patching vulnerable Cisco devices amid ‘active exploitation,’ CISA warns

Steven

Federal agencies not fully patching vulnerable Cisco devices amid ‘active exploitation,’ CISA warns

Summary

CISA says many federal civilian agencies reported Cisco Adaptive Security Appliance (ASA) devices as “patched” even though they were updated to software versions that remain vulnerable. The agency warned of active exploitation since September and has issued implementation guidance listing minimum safe versions and devices that must be replaced or updated. Recorded Future and Palo Alto Unit 42 have reported scanning and exploitation activity tied to China-linked groups, while CISA stresses rapid corrective action is needed.

Key Points

  • CISA analysed agency reports and found devices marked as patched were still running vulnerable ASA software versions.
  • The vulnerabilities (including CVE-2025-30333 and CVE-2025-20362) have been actively scanned and exploited since September.
  • CISA provided a detailed list of devices and minimum software versions; non-compliant devices must be patched or swapped out.
  • Threat actors — traced to Storm-1849/China-linked campaigns — targeted government and critical-sector IPs worldwide, including US federal addresses.
  • Agencies were previously given just one day to apply patches; CISA now issued further implementation guidance for those still exposed.
  • Palo Alto Unit 42 and Recorded Future observed exploitation activity across government, finance, defence and military targets.
  • CISA has not publicly confirmed breaches but warns the vulnerable versions are being actively exploited inside federal networks.

Content summary

In September CISA issued an emergency directive about two defects in Cisco ASA firewall products being exploited by an “advanced threat actor.” Agencies were ordered to report mitigation steps. CISA’s review of returns found many devices labelled as patched were in fact updated to versions that remain exploitable. The agency released a corrective directive with explicit minimum safe firmware/software versions and guidance to replace devices where necessary. Independent researchers from Recorded Future and Palo Alto Networks’ Unit 42 have tracked scanning and exploitation activity linked to a China-based threat group, and government IPs across numerous countries have been targeted. CISA emphasises immediate corrective patching and released implementation guidance for agencies that remain non-compliant.

Context and relevance

This matters because Cisco ASA appliances are widely used by governments and large organisations as consolidated gateway security devices; left unpatched they provide an easy avenue for intrusion, data theft or persistent access. The incident sits within a broader increase in nation-state targeting of network infrastructure and demonstrates how patch reporting can mislead defenders if version details are incorrect. For IT, security and risk teams the update is a prompt to verify exact firmware versions, follow CISA’s listed minimum versions, and consider device replacement where updates aren’t available.

Why should I read this?

Short answer: if you run or manage network kit, pay attention — this isn’t theoretical. CISA found agencies saying “we’re patched” while still open to attacks. That’s sloppy and dangerous. Read it so you know to double-check exact ASA software versions, follow CISA’s list, and stop assuming a reported patch equals protection. If you look after firewalls, VPNs or network perimeter kit, this could save you a breach.

Source

Source: https://therecord.media/federal-cisco-patches-warning