CISA Defunding and Dismantling Affects US Cyber Defense

First reported

12.09.2025 17:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA) is being defunded and dismantled, jeopardizing US cyber defense capabilities. CISA's role in identifying and mitigating vulnerabilities is crucial for timely responses to zero-day exploits. The termination of key partnerships and layoffs of employees have raised concerns about the future of federal cybersecurity efforts. The defunding of CISA impacts the timely identification and mitigation of vulnerabilities, leaving organizations more exposed to cyber threats. The potential dismantling of CISA could lead to increased response times and delayed fixes for critical vulnerabilities. The Cybersecurity Information Sharing Act of 2015 is also up for renewal, further complicating the landscape. Without CISA, organizations may rely more on internal resources and collaboration within the cybersecurity community.

Timeline

12.09.2025 17:00 1 articles · 17d ago

CISA Defunding and Dismantling Impact US Cyber Defense
The Cybersecurity and Infrastructure Security Agency (CISA) is being defunded and dismantled, jeopardizing US cyber defense capabilities. The termination of key partnerships and layoffs of employees have raised concerns about the future of federal cybersecurity efforts. The potential dismantling of CISA could lead to increased response times and delayed fixes for critical vulnerabilities, leaving organizations more exposed to cyber threats. The Cybersecurity Information Sharing Act of 2015 is also up for renewal, further complicating the landscape.
Show sources

Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
Open in new tab

Information Snippets

CISA has been defunded and is being dismantled, impacting its ability to detect and prevent cybersecurity risks.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
The termination of CISA's $10 million partnership with the Center for Internet Security and layoffs of over 100 employees have weakened its operational capacity.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
The Common Vulnerabilities and Exposures program, funded through CISA, was extended but faces an uncertain future.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
The Cybersecurity Information Sharing Act of 2015 is up for renewal, with no clear indication of its future.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
CISA's role in identifying and mitigating vulnerabilities is crucial for timely responses to zero-day exploits.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00
Without CISA, organizations may face delayed responses to vulnerabilities, increasing the risk of exploitation.
First reported: 12.09.2025 17:00

1 source, 1 article
Show sources
- Without Federal Help, Cyber Defense Is Up to the Rest of Us — www.darkreading.com — 12.09.2025 17:00

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.