Cisco faces Senate scrutiny over firewall flaws

Cisco faces Senate scrutiny over firewall flaws

Briefly

"The letter comes weeks after CISA sounded the alarm about the vulnerabilities. It warned of "an unacceptable risk" to government systems if Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices are left unpatched, and gave federal agencies just 24 hours to identify affected kit, check logs for compromise, and apply Cisco's fixes. The directive further demanded that devices hitting end of support (EoS) be removed entirely."

"At the time, Cisco admitted the flaws had been exploited as far back as May, when government incident responders called it in to help investigate intrusions on ASA 5500-X firewalls. It said attackers had been "dropping implants, running commands, and siphoning data" well before the public was alerted. The months-long exploitation has been linked to the ArcaneDoor campaign, which first came to light in April 2024."

"Cassidy's letter [PDF] to Cisco CEO Chuck Robbins demands clarity around the company's knowledge of and response to the critical flaws - namely CVE-2025-20333 and CVE-2025-20362 - that prompted the US government to issue an emergency patching directive for federal civilian agencies. Cassidy says "at least one federal agency has already been breached as a result of this vulnerability," a claim Cisco has not publicly confirmed or denied."