U.S. cyber security officials have issued an “emergency directive” after hackers breached at least one government agency.
The Cybersecurity and Infrastructure Security Agency said it was aware of an “ongoing exploitation campaign by an advanced threat actor” that was targeting appliances made by Cisco Systems.
CISA did not specify which agencies have been affected, or how, or where the threat had come from, though experts told CNN they believe the hackers are state-backed and based in China.
The hackers, who are believed to have targeted Cisco previously, have been exploiting previously unknown flaws in the software for several months. Their activity presents “a significant risk to victim networks,” according to CISA.
“We are aware of hundreds of these [affected] devices being in the federal government,” said Chris Butera, a senior official at the Cybersecurity and Infrastructure Security Agency, according to CNN.
He added that the emergency directive will help officials understand “the full scope of the compromise across federal agencies.”
In its own release, Cisco said it had been made aware of the breaches by multiple government agencies in May 2025, and had “dedicated a specialized, full-time team to this investigation, working closely with a limited set of affected customers.
“Our response involved providing instrumented images with enhanced detection capabilities, assisting customers with the analysis of packet captures from compromised environments, and conducting in-depth analysis of firmware extracted from infected devices,” the release said.
“These collaborative and technical efforts enabled our teams to ultimately identify the underlying memory corruption bug in the product software.”
According to the company, the attackers were observed to have exploited “multiple zero-day vulnerabilities and employed advanced evasion techniques.”
The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” Cisco’s statement added.
The company said it believes “with high confidence” that the most recent attack is related to the same threat actor as the ArcaneDoor attack campaign reported in early 2024.
Cisco has urged its customers to update their software following the attacks.
The Independent has reached out to CISA and Cisco for comment and any updates regarding the breach, including which agencies may have been targeted.
