China-based hackers exploit unpatched Cisco firewalls to target global government networks

The group, known as Storm-1849 (also tracked as UAT4356), has been actively compromising Cisco Adaptive Security Appliance (ASA) devices — a critical line of firewalls widely used by federal and state agencies, defense institutions, and major private firms.

Researchers at Palo Alto Networks’ Unit 42 revealed that the hackers are scanning and exploiting vulnerable Cisco ASA systems to gain deep, persistent access to sensitive networks. These appliances are particularly high-value targets because they combine multiple security functions, including traffic filtering, VPN management, and virus detection, effectively serving as gateways to protected internal systems.

Although neither CISA nor Cisco has officially attributed the 2025 campaign to Chinese actors, cybersecurity firm Censys previously identified strong evidence linking similar 2024 attacks to China.

A Global Security Threat
According to Unit 42’s findings shared with The Record, the campaign persisted throughout October. In the United States alone, the researchers observed malicious activity directed at 12 IP addresses belonging to federal agencies and 11 associated with state or local government offices.

A notable pause in attacks between October 1 and October 8 coincided with China’s Golden Week holiday — a possible indication of the attackers’ origin.

The threat, however, extends well beyond the US. The same group has reportedly targeted networks in India, Nigeria, Japan, Norway, France, the UK, the Netherlands, Spain, Australia, Poland, Austria, the UAE, Azerbaijan, and Bhutan. Storm-1849 also appears to have focused on US financial institutions, military organizations, and defense contractors.

Pete Renals, Director of National Security Programs for Unit 42, said that the group “persisted in targeting vulnerable government edge devices throughout October.”

Urgent Call to Patch
The attackers are exploiting two known vulnerabilities in Cisco ASA devices: CVE-2025-30333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5). The first allows attackers with VPN credentials to execute arbitrary code on affected systems, while the second lets unauthenticated remote attackers bypass security restrictions to access protected areas.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive last month, ordering all federal civilian agencies to immediately patch both vulnerabilities.

Despite this directive, the campaign has continued largely unabated. Researchers warn that the attackers have developed methods to maintain persistence even after device reboots or firmware updates.

Experts’ Commentary
Security professionals are urging organizations to act decisively. James Maude, Field CTO at BeyondTrust, emphasized the need to “keep calm and patch” the identified vulnerabilities immediately, as outlined in CISA’s directive.

He advised that compromised organizations should reset their Cisco configurations to factory defaults, replace all passwords, keys, and certificates, and verify system integrity before restoring normal operations.

Heath Renfrow, Co-Founder and Chief Information Security Officer at Fenix24, noted that “edge devices are now primary targets, not secondary infrastructure,” warning that even patched systems could remain at risk if not thoroughly audited.

“Patching alone isn’t enough,” Renfrow added. “Assume compromise and perform full credential hygiene and log review.”

As cyberattacks grow increasingly sophisticated, experts stress that government and private sector networks must adopt a proactive defense posture — combining prompt patching, configuration audits, and continuous monitoring to mitigate evolving global threats.