The US Congressional Budget Office (CBO), a key source of fiscal analysis for Congress, has confirmed a cybersecurity incident that may have exposed sensitive inter-office communications and enabled targeted phishing activity.
The breach was disclosed on Thursday, November 6, 2025, when the CBO issued a public statement confirming the incident and detailing its immediate containment measures. The agency reported that it had implemented additional monitoring and new security controls following the discovery. While the statement did not attribute the attack to any specific group, The Washington Post cited sources indicating a suspected foreign actor may have been involved.
The Congressional Budget Office is a non-partisan federal agency established in 1974 to provide independent budgetary and economic analysis to the US Congress. It plays a vital role in informing legislative decision-making, offering projections and reports that influence trillions in federal spending.
The scope of the breach appears to involve potential compromise of email communications between the CBO and congressional offices. According to internal notifications from the Senate Sergeant at Arms' office, attackers may have accessed email metadata or content that could be repurposed to craft convincing phishing emails. Officials warned congressional staff to be vigilant and to verify the authenticity of any communications appearing to originate from the CBO. There is also concern that internal office chat logs may have been exposed, expanding the possible social engineering surface.
Security researcher Kevin Beaumont posted on Mastodon that CBO’s Cisco AnyConnect VPN concentrator was the likely entry vector. According to Beaumont, the device was more than a year behind on security patches at the time of the breach and has since been taken offline. He also claimed to have previously alerted the CBO about the outdated system.
Cisco’s AnyConnect Secure Mobility Client is a widely used remote access solution that has been a frequent target for attackers, especially when critical vulnerabilities go unpatched. In the past two years, threat actors, including state-sponsored groups, have exploited flaws in outdated VPN appliances to gain initial access to government and enterprise networks.
At the time of writing, the CBO has not confirmed the specific vulnerability or intrusion vector but emphasized that it continues to investigate and that normal operations for Congress are ongoing.
Leave a Reply