China-based hackers are scanning for and exploiting a popular line of Cisco firewalls used by governments in the U.S., Europe and Asia. 

Incident responders from Palo Alto Networks’ Unit 42 have been tracking the targeting of Cisco Adaptive Security Appliances (ASA) — popular devices used by governments and large businesses to consolidate several different security tasks into a single appliance. In addition to acting as firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more.

In a report shared with Recorded Future News, Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024.   

Unit 42 researchers said they saw continued Chinese targeting of Cisco ASA devices at U.S. financial institutions, defense contractors and military organizations throughout October. They noted that Storm-1849, also referred to as UAT4356, is known to target government, defense industry and financial institutions.

They noted that there was a lull in activity between October 1 to October 8 — likely due to China’s Golden Week. 

Pete Renals, director of National Security Programs for Unit 42, said that throughout October, Storm-1849 “persisted in targeting vulnerable government edge devices.” 

Unit 42 saw scanning and exploitation activity targeting 12 IP addresses used by federal agencies in the U.S. They saw 11 other local and state government IP addresses targeted in October. 

In addition to U.S. agencies, federal government IP addresses in India, Nigeria, Japan, Norway, France, the U.K., the Netherlands, Spain, Australia, Poland, Austria, UAE, Azerbaijan and Bhutan were targeted.

One month ago, the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive ordering all federal civilian agencies to patch CVE-2025-30333 and CVE-2025-20362 — two vulnerabilities impacting Cisco ASA devices. 

Hackers have been seen chaining the two bugs together during attacks, according to CISA, which added that the hackers are sophisticated and have found ways to gain access to ASAs before manipulating devices so that their access persists through reboots and system upgrades.

Agencies were given just one day to apply the patches and CISA officials stressed that threat actors were exploiting the bugs with “alarming ease.” Cisco said in its report on the campaign that it worked with multiple government agencies in May 2025 to investigate attacks targeting the ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services.

“Despite cybersecurity advisories and emergency directives last month highlighting the critical need for patching, the actor has continued their campaigns seemingly undeterred,” Renals said. 

“While groups like Salt and Volt Typhoon remain an active threat, newer groups like Storm-1849… are quickly expanding their operations and gaining global prominence."

CISA did not attribute the exploitation of the bugs but tied it to the same nation-state hackers behind the ArcaneDoor campaign discovered last year. 

CISA and Cisco declined to formally attribute the 2025 campaign to Chinese actors but cybersecurity research firm Censys investigated actor-controlled IPs tied to the 2024 ArcaneDoor campaign and found data “suggesting the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”

CISA and Cisco did not respond to requests for comment.