The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to take immediate action to patch vulnerabilities in the Cisco Adaptive Security Appliances (ASA) platform by Friday, Sept. 26, at 11:59 p.m.
CISA issued an emergency directive on Thursday in response to what it called “an advanced threat actor” targeting Cisco ASA via web services. CISA said the campaign “poses a significant risk to victims’ networks,” given that attackers have exploited multiple zero-day vulnerabilities.
Under the directive, all federal civilian agencies must account for all in-scope devices, collect forensic data, and assess any compromises using CISA-provided procedures and tools. They are also required to disconnect end-of-support devices and upgrade those that will remain in service by the Friday deadline.
“As the lead for federal cybersecurity, CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” said Madhu Gottumukkala, CISA’s acting director, in a press release.
“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this Emergency Directive,” Gottumukkala added.
Government agencies first contacted Cisco in May to support the investigation of attacks that were targeting certain Cisco ASA devices, the company said on Thursday.
Cisco said it has “high confidence” that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.
In addition to the Friday deadline, all agencies are required to report back to CISA before midnight on Oct. 3. CISA said they must submit “a complete inventory of all instances of products within scope on agency networks, including details on actions taken and results.”
As agencies implement this directive, CISA said it will assess compliance and provide additional resources as needed.
During a media briefing on Thursday afternoon, Chris Butera, the acting deputy executive assistant director for CISA’s Cybersecurity Division, said the agency is “aware of hundreds of these [Cisco] devices being in the federal government.”
“The purpose of the emergency directive [is to] help us understand both the full scope of those devices as well as the full scope of the compromise across federal agencies,” Butera told reporters.