CISA is warning federal agencies against patching flawed Cisco firewalls amid “active exploitation” across the US government

The US cybersecurity agency CISA says federal government departments are not patching adequately to protect against an active hacking campaign targeting Cisco’s firewalls.

In an updated advisory published Wednesday, CISA said it is currently “actively tracking exploitation” of two security flaws in the Cisco Adaptive Security Appliance (ASA) software, which powers a suite of enterprise-level firewalls used by giant corporations and government agencies to protect their networks from malicious outsiders.

CISA said the flaws had been exploited by an “advanced” but as-yet-unnamed threat actor since September, prompting the agency to issue its third emergency directive of the year, ordering agencies to patch their affected systems.

While some federal agencies told the agency they had repaired their systems, CISA said some agencies “remain vulnerable” to threats as described in the agency’s guidance.

The agency did not say which government departments were compromised, but urged all agencies with affected Cisco devices to update to the latest patch to avoid exploitation.

Last week, the Congressional Budget Office confirmed it had been hacked, allowing suspected foreign hackers to steal the agency’s emails and chat logs between the offices of lawmakers and agency researchers.

The Congressional Budget Office, which provides analysis and economic information to lawmakers, did not say how the hackers got in, but security researcher Kevin Beaumont found that the Congressional Budget Office had an affected Cisco firewall that was not patched before the U.S. government shutdown on October 1. The congressional central bank pulled the affected Cisco router offline shortly before the breach was revealed.