Senator Presses Cisco Over Firewall Flaws That Burned Us Agency

US Senator Bill Cassidy has fired off a pointed letter to Cisco over the firewall flaws that allegedly let hackers breach “at least one federal agency.”

Cassidy’s letter [PDF] to Cisco CEO Chuck Robbins demands clarity around the company’s knowledge of and response to the critical flaws – namely CVE-2025-20333 and CVE-2025-20362 – that prompted the US government to issue an emergency patching directive for federal civilian agencies.

Cassidy says “at least one federal agency has already been breached as a result of this vulnerability,” a claim Cisco has not publicly confirmed or denied.

The letter comes weeks after CISA sounded the alarm about the vulnerabilities. It warned of “an unacceptable risk” to government systems if Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices are left unpatched, and gave federal agencies just 24 hours to identify affected kit, check logs for compromise, and apply Cisco’s fixes. The directive further demanded that devices hitting end of support (EoS) be removed entirely.

At the time, Cisco admitted the flaws had been exploited as far back as May, when government incident responders called it in to help investigate intrusions on ASA 5500-X firewalls. It said attackers had been “dropping implants, running commands, and siphoning data” well before the public was alerted.

The months-long exploitation has been linked to the ArcaneDoor campaign, which first came to light in April 2024. At the time, Cisco pinned the activity on a Chinese-linked threat crew known as “UAT4356”, which had been abusing the bugs to compromise government systems worldwide since November 2023.

Cassidy’s demands lay bare the tension in play. As chair of the Health, Education, Labor, and Pensions (HELP) Committee, he insists Cisco must reveal whether it’s identified any specific threats to customers, how it is engaging with affected agencies and sectors, whether its guidance mirrors CISA’s, and how it communicates risk and patching information to its broad customer base.

He points out that many US businesses – particularly smaller ones and nonprofits – lack a formal CISO and may be reliant on vendors like Cisco to bridge the expertise gap.

“As the largest provider of network infrastructure in the world, Cisco holds a unique position in delivering tools not only to the federal government, but virtually all businesses,” Cassidy wrote. “These tools connect consumers and businesses to care services, educational tools, and platforms businesses need to operate. Any vulnerability in Cisco’s systems would jeopardize this access for millions of Americans.

“As Cisco works with the federal government to patch any cybersecurity vulnerabilities, it must work with these stakeholders to ensure their systems are protected as well.”

Cassidy’s public pressure sends a message not only to Cisco but to all vendors supplying mission-critical infrastructure: transparency and accountability in cybersecurity are not optional. The firm has until October 27 to respond to Cassidy’s questions – a deadline that may test not just its security posture, but its political firewalls too. ®

Original Source