Hackers have exploited vulnerabilities in Cisco Systems’ firewall devices used across US federal agencies, according to officials.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Thursday, ordering civilian agencies to identify and mitigate breaches.
The flaws were used to implant malicious code and execute commands, raising fears of stolen data. Cisco confirmed that it had been investigating attacks since May 2025 after multiple government agencies reported incidents.
The UK’s National Cyber Security Centre (NCSC) also raised alarms, warning that the threat extended beyond US borders and could affect critical infrastructure.
CISA moves to contain the breaches
CISA acted quickly after confirming that the intrusions had reached federal networks.
Chris Butera, acting deputy executive assistant director for CISA’s cybersecurity division, said the threat was “widespread” and stressed that private companies and other government bodies should also act.
Although the directive applies only to civilian agencies, the scale of the incident suggested a broader risk to critical infrastructure in the US.
Bloomberg reports, specific victims were not disclosed, but CISA’s investigation confirmed that compromised devices were active within government systems.
Cisco reveals the ArcaneDoor hackers
Cisco identified the hackers as ArcaneDoor, a group that has been running cyber-espionage campaigns since 2024. The company said it was first engaged by government agencies in May 2025 to investigate firewall attacks.
Cisco issued a security alert detailing that the attackers had exploited flaws in its devices to implant code, run commands, and potentially steal sensitive data.
The vulnerabilities allowed hackers to bypass defences, making federal systems a prime target. Cisco’s findings showed that ArcaneDoor had shifted its focus from global espionage to US entities in recent months.
International alerts and expanding risks
The UK’s NCSC echoed CISA’s warnings, noting that the vulnerabilities could be used to implant malicious code across networks.
Its advisory emphasised that the attacks were not limited to US agencies, raising concerns about risks to international partners. Cybersecurity firm Palo Alto Networks also confirmed it had been tracking ArcaneDoor since last year.
Sam Rubin, senior vice president at Palo Alto’s Unit 42 team, said the group had changed its methods over time, escalating its campaigns as they turned towards the US.
Rubin added that cybercriminal groups would likely exploit the same flaws following the exposure of these espionage tactics.
Federal infrastructure and private sector on alert
CISA’s statement confirmed that the breaches could affect critical infrastructure in the US, although no further details were given.
Federal officials urged private companies to take the same protective measures, highlighting the potential spread of the campaign beyond government systems.
The ArcaneDoor operation is seen as a significant escalation, with the capability to implant malware, exfiltrate data, and disrupt essential networks.
The warnings underline how vulnerabilities in widely used devices like Cisco firewalls create systemic risks, making cybersecurity responses urgent across both government and private sectors.
The post Hackers breach US federal firewalls as ArcaneDoor cyber-espionage expands appeared first on Invezz
