Federal cybersecurity officials have ordered immediate fixes after hackers began exploiting newly disclosed flaws in Cisco security appliances that sit at the edge of government and corporate networks.
The Cybersecurity and Infrastructure Security Agency said the activity “poses a significant risk” and issued Emergency Directive 25-03 instructing civilian agencies to find all affected devices, collect forensics, and apply updates on a rapid timetable.
The order targets Cisco’s Adaptive Security Appliance and Firepower devices, which power VPN and web services for remote workers.
CISA described a widespread campaign that uses zero day vulnerabilities to gain access and maintain persistence, including evidence of manipulation that can survive reboots and upgrades.
That persistence on internet-exposed gear is especially dangerous because these boxes often sit between the public internet and sensitive internal systems.
Under the directive, agencies must upload core dumps for analysis by 11:59 p.m. EDT on September 26, disconnect hardware that has reached end of support by September 30, and file a full inventory with actions taken by October 2.
Those tight deadlines are meant to give defenders a quick read on potential compromises while forcing upgrades and retirement of outdated units that cannot be secured.
Cisco, for its part, published fixes and detailed guidance after confirming that attackers were abusing two flaws in the VPN web server component, tracked as CVE-2025-20333 and CVE-2025-20362.
The company also disclosed a related vulnerability, CVE-2025-20363. Cisco urged customers to patch and follow its detection and hardening steps.
The campaign echoes a pattern seen over the last two years, when internet-facing remote access tools and network appliances became favored targets.
CISA issued a similar emergency directive in 2024 around Ivanti’s remote access products following serial exploitation, a reminder that attackers continue to look for footholds in the very technologies that enable hybrid work.
Cisco faces urgent customer remediation work and potential questions about installed-base resilience, even as competitors in cloud-delivered security highlight the advantages of software-centric controls.
Earlier this month, investors bid up a pure-play cloud security name on its market debut, underscoring appetite for platforms built for work-from-anywhere architectures.
That momentum was visible in Netskope’s Nasdaq debut, which drew attention to zero trust and data protection spend tied to remote access.
On the Canadian side of the market, demand for cyber offerings has been one of the few bright spots during choppy tech sessions, with BlackBerry lifting its revenue outlook on cybersecurity demand even as broader risk assets wobbled.
CISA also tied the activity to tactics seen in last year’s ArcaneDoor campaign, a nod to state-sponsored tradecraft that blends zero day use with stealthy persistence.
Any organization that exposes VPN or web management interfaces to the internet should assume opportunistic scanning is underway and move fast on updates, configuration hardening, and log review.
