Two Vulnerabilities, Dozens of Countries, Total Control: Storm-1849 Turned Cisco ASA into a Global Spying Tool
CISA's emergency directive failed to stop the attacks—hackers maintain access even after patching.
CISA's emergency directive failed to stop the attacks—hackers maintain access even after patching.
The Chinese hacking group tracked as Storm-1849 continues to actively attack Cisco ASA devices used by government entities and large organizations worldwide. This is according to the Unit 42 analytical team from Palo Alto Networks, which has been monitoring the threat actors' activities throughout October. Vulnerable devices were identified not only in the USA but also in government networks across Europe, Asia, Africa, and Oceania.
Cisco Adaptive Security Appliance is one of the most widespread networking products, combining firewall, antivirus filtering, anti-spam protection, and other security components. Due to its extensive use in the infrastructure of ministries, banks, and defense sector contractors, these systems have become a priority target for attackers.
According to Unit 42, Storm-1849's activity was particularly prominent during October, except for a break in the first week of the month—presumably due to the Golden Week holiday in China. They noted targeted reconnaissance and exploitation of 12 IP addresses belonging to US federal structures, as well as 11 addresses at the state and municipal level. Beyond the US, the list of affected entities included addresses associated with government systems in India, France, the UK, Japan, Norway, the UAE, Australia, Poland, Austria, Spain, the Netherlands, Nigeria, Azerbaijan, and Bhutan.
Digital paranoia is the new common sense.
Storm-1849 is also known as UAT4356. According to Cisco, this group has been exploiting vulnerabilities in ASA devices since at least 2024. The company collaborated with government agencies to investigate a wave of attacks targeting the ASA 5500-X series with VPN web services enabled.
In October, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, mandating all federal civilian agencies to immediately install updates for two critical vulnerabilities—CVE-2025-30333 and CVE-2025-20362. The agency's report notes that attackers combine both vulnerabilities to gain persistent access to the system, even after a reboot or firmware update.
Despite the directive and widespread awareness of the threat, Storm-1849's attacks have not ceased. Experts warn that this group operates with high speed and shows clear signs of evolution. Although CISA does not formally attribute the attacks to China, related infrastructure analysis of ArcaneDoor by Censys researchers revealed connections to Chinese providers and censorship circumvention software created in the PRC.
CISA and Cisco declined to provide additional comments regarding the attribution of the 2025 campaign to Chinese groups, despite its similarities to the ArcaneDoor operation disclosed a year earlier.
