Hackers, specifically the **ArcaneDoor** group linked to Russian state actors, exploited zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in **Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)** software—critical components of U.S. federal cyber infrastructure. The breach, detected on **September 26, 2025**, allowed attackers to execute **remote denial-of-service (DoS) attacks** via infinite loops and **escalate privileges from administrator to root access**, compromising hundreds of Cisco firewall devices used by U.S. government agencies. Classified documents were stolen, including intelligence on **espionage, fraud, money laundering, and foreign agent activities**, directly threatening national security. The attack follows a 2024 pattern where Cisco’s systems were repeatedly targeted, with CISA issuing emergency directives to mitigate further damage. The incident underscores systemic vulnerabilities in federal cyber defenses, with experts warning of escalating threats as other cybercriminal groups adopt ArcaneDoor’s tactics.
TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis2032020092825",
"linkid": "cisco",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'United States Federal Government',
'type': 'Government'},
{'industry': 'Cybersecurity',
'location': 'United States',
'name': 'U.S. Cybersecurity and Information Technology '
'Infrastructure Agency (CISA)',
'type': 'Government Agency'},
{'industry': 'Legal',
'location': 'United States',
'name': 'U.S. Federal Courts',
'type': 'Judicial Branch'},
{'customers_affected': ['U.S. government agencies '
'(hundreds of firewall '
'devices)'],
'industry': 'Networking & Cybersecurity',
'location': 'United States (Global)',
'name': 'Cisco Systems',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of Zero-Day Vulnerabilities (CVE-2024-20353, '
'CVE-2024-20359)',
'Remote Access'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (Classified)',
'type_of_data_compromised': ['Classified government documents',
'Espionage-related data',
'Fraud/money laundering records',
'Foreign agent activities']},
'date_detected': '2025-09-26',
'date_publicly_disclosed': '2025-09-28',
'description': 'Hackers breached Cisco networking equipment belonging to '
'several US government agencies on September 26, 2025. The '
'attack, attributed to the ArcaneDoor hacker group, targeted '
'critical U.S. federal cyber infrastructure, including Cisco '
'Adaptive Security Appliance (ASA) and Firepower Threat '
'Defense (FTD) software. Zero-day vulnerabilities '
'(CVE-2024-20353 and CVE-2024-20359) were exploited, enabling '
'remote denial-of-service (DoS) attacks and privilege '
'escalation from administrator to root access. The breach '
'follows prior incidents in 2024 and a separate August 2025 '
'hack of U.S. federal courts by Russian actors, where '
'classified documents were stolen.',
'impact': {'brand_reputation_impact': ['Erosion of public trust in U.S. '
'federal cybersecurity',
'Reputational damage to Cisco'],
'data_compromised': ['Classified documents (espionage, fraud, '
'money laundering, foreign agent activities)'],
'operational_impact': ['Disruption of federal cyber infrastructure',
'Potential loss of sensitive government '
'data'],
'systems_affected': ['Cisco Adaptive Security Appliance (ASA)',
'Firepower Threat Defense (FTD) software',
'Hundreds of Cisco firewall devices',
'U.S. federal courts computer systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['Potential sale of '
'exploit methods to other '
'cybercriminal groups'],
'entry_point': ['Cisco ASA/FTD vulnerabilities '
'(CVE-2024-20353, CVE-2024-20359)'],
'high_value_targets': ['U.S. federal cyber '
'infrastructure',
'Classified government '
'documents'],
'reconnaissance_period': 'Since 2024 (ArcaneDoor '
'group activity)'},
'investigation_status': 'Ongoing (CISA and Cisco involved)',
'motivation': ['Espionage',
'Cyber Warfare',
'Financial Gain (potential sale of exploit methods)'],
'post_incident_analysis': {'corrective_actions': ['Mandatory vulnerability '
'assessments (CISA '
'directive)',
'Patch management '
'enforcement'],
'root_causes': ['Unpatched zero-day '
'vulnerabilities in Cisco devices',
'Insufficient monitoring of '
'high-value targets']},
'ransomware': {'data_exfiltration': True},
'references': [{'date_accessed': '2025-09-28', 'source': 'Bloomberg'},
{'source': 'Wired'},
{'date_accessed': '2025-09-25',
'source': 'CISA Directive (September 25, 2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA directives to '
'federal agencies']},
'response': {'communication_strategy': ['Public disclosure via Bloomberg',
'CISA advisories'],
'containment_measures': ['CISA directive to identify affected '
'devices',
'Data collection and threat assessment '
'using CISA tools'],
'enhanced_monitoring': ['Use of CISA cybersecurity tools for '
'threat assessment'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patching vulnerabilities '
'(CVE-2024-20353, CVE-2024-20359)',
'Addressing cyber vulnerabilities in '
'Cisco devices'],
'third_party_assistance': ['Cisco Cybersecurity Experts']},
'stakeholder_advisories': ['CISA directives to federal agencies',
'Public statements by Chris Butera (CISA)'],
'threat_actor': ['ArcaneDoor Hacker Group',
'Russian Hackers (for federal courts breach)'],
'title': 'Hackers hit the United States: Critical federal infrastructure '
'compromised via Cisco networking equipment breach',
'type': ['Cyberattack',
'Privilege Escalation',
'Denial-of-Service (DoS)',
'Data Breach'],
'vulnerability_exploited': ['CVE-2024-20353 (Infinite Loop DoS)',
'CVE-2024-20359 (Privilege Escalation: Admin → '
'Root)']}