US cybersecurity agency CISA said federal government departments are not sufficiently patching Cisco firewalls to protect against active hacking activity targeting them.
In an updated advisory released Wednesday, CISA said it is now “actively tracking the exploitation” of two security flaws in Cisco's Adaptive Security Appliance (ASA) software, which hardens a variety of enterprise-grade firewalls used by major companies and government agencies to protect networks from malicious outsiders.
CISA said the flaw has been being exploited by a “sophisticated” but as-yet-unnamed attacker since September, prompting CISA to issue its third emergency directive this year ordering government agencies to patch affected systems.
Although some federal agencies have told agencies they have patched their systems, CISA said some agencies “remain vulnerable” to the threats outlined in the agency's directive.
The agency did not say which government departments were compromised, but called on all government agencies with affected Cisco devices to update to the latest patch version to avoid exploitation.
Last week, the Congressional Budget Office acknowledged that it had been hacked and that suspected foreign hackers were able to steal the agency's emails and chat logs between members of Congress' offices and researchers at the agency.
CBO, which provides economic analysis and information to lawmakers, has not said how the hackers got in, but security researcher Kevin Beaumont found that CBO had not patched the affected Cisco firewalls before the U.S. government shutdown on October 1. CBO took the affected Cisco routers offline shortly before disclosing the hack.