A China-linked hacking group, known to security experts as Storm-1849 (also tracked as UAT4356), has been actively compromising Cisco firewalls used by governments and large firms worldwide.
According to experts at Palo Alto Networks’ Unit 42, the hackers are “scanning for and exploiting a popular line of Cisco firewalls,” specifically the Cisco Adaptive Security Appliance (ASA) line, which is vital for government bodies, defence institutions, and major companies across the US, Europe, and Asia.
It is worth noting that Cisco ASA appliances are high-value targets because they combine several security roles, such as filtering network traffic, checking for viruses, and handling secure connections (VPNs), acting as a gateway to sensitive internal systems.
Though CISA and Cisco have not officially named Chinese actors as responsible for the 2025 campaign, cybersecurity research firm Censys previously found convincing signs pointing toward China in related 2024 attacks.
A Global Security Threat
According to Palo Alto Networks’ Unit 42’s findings shared with The Record, reported that this campaign lasted throughout October. In the US, they observed activity against 12 network addresses (IPs) tied to federal government agencies and 11 others belonging to state or local government offices. Interestingly, researchers noted there was a pause in activity between October 1 and October 8, which they believe was likely due to China’s Golden Week holiday.
Unit 42 researchers also noted that the threat extends far beyond America. Public network addresses in numerous other countries have also been targeted, including India, Nigeria, Japan, Norway, France, the UK, the Netherlands, Spain, Australia, Poland, Austria, the UAE, Azerbaijan, and Bhutan.
Further probing revealed that Storm-1849 also focused on US financial institutions, military organisations, and defence contractors. Pete Renals, director of National Security Programs for Unit 42, said that throughout October, the group “persisted in targeting vulnerable government edge devices.”
Urgent Call to Patch
The hackers are, reportedly, chaining together two known vulnerabilities in the Cisco ASA devices, identified as CVE-2025-30333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5). This combined attack allows them to gain deep, persistent control over the appliances. CVE-2025-30333 is a serious issue that lets an attacker with VPN credentials run their own code on the device, while CVE-2025-20362 allows an unauthenticated remote attacker to bypass security checks to access restricted areas.
The US Cybersecurity and Infrastructure Security Agency (CISA) had already issued an emergency directive one month ago, ordering all federal civilian agencies to quickly apply patches for these two issues.
Despite the security advisories, the attacks continued seemingly undeterred. Research also reveals that the attackers have found ways to maintain their access even if the device reboots or receives a system upgrade.
Experts’ Commentary
Several security experts have shared their perspectives on this discovery with Hackread.com. James Maude, Field CTO at BeyondTrust, emphasised the need to “keep calm and patch” the two CVEs immediately, per the CISA directive.
He also stressed that due to the attackers’ ability to modify settings and maintain access, any organization that suspects compromise must reset its Cisco configurations to factory defaults, changing all passwords, keys, and certificates before reconfiguring the device.
Heath Renfrow, Co-Founder and Chief Information Security Officer at Fenix24, reinforced that the continued attacks confirm that “edge devices are now primary targets, not secondary infrastructure.”
He advised organisations to verify that their appliances are running supported software and warned that “Patching alone isn’t enough – assume compromise and perform full credential hygiene and log review.”
