CISA Confirms U.S. Agency Breach via Cisco Vulnerability; FIRESTARTER Malware Ensures Ongoing Access

In September, a U.S. government agency experienced a significant cyber breach due to vulnerabilities in Cisco firewalls. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the unnamed department was compromised by malware identified as “FIRESTARTER.” This malware enabled attackers to maintain access to the Cisco device without needing to exploit the original vulnerabilities repeatedly.

CISA issued an advisory outlining the characteristics of the FIRESTARTER malware and mandated federal civilian agencies to implement specific actions to identify potential infections. Earlier in September, CISA had alerted all federal entities to patch two critical vulnerabilities—CVE-2025-30333 and CVE-2025-20362—impacting Cisco Adaptive Security Appliances (ASA).

Ongoing Threats and Malware Persistence

CISA’s recent updates were driven by new cyber threat intelligence indicating that threat actors were retaining persistent access to Cisco Firepower and Secure Firewall products equipped with ASA or Firepower Threat Defense (FTD) software. The ASA product line is extensively used by government agencies and large enterprises for its ability to consolidate multiple security functions, including firewall capabilities, intrusion prevention, spam filtering, and antivirus checks.

Through its continuous monitoring program, CISA detected suspicious connections on a Cisco Firepower device belonging to a U.S. Federal Civilian Executive Branch (FCEB) agency. Following this discovery, CISA conducted a forensic investigation, confirming the presence of FIRESTARTER on the compromised device.

Additionally, the attackers utilized another malware strain known as Line Viper, which established unauthorized virtual private network (VPN) sessions that bypassed existing VPN authentication protocols. This combination of malware allowed the hackers to regain access to the compromised device without needing to exploit the original vulnerabilities again, with indications of continued access extending into March 2026.

Vulnerability and Exploitation Timeline

Devices compromised before the vulnerabilities were patched remain at risk due to the presence of FIRESTARTER. CISA reported that the malware was deployed on the affected Cisco device prior to September 25, 2025, although the precise date of infection is still undetermined. The attackers also exploited inactive federal accounts within the agency, complicating detection and response efforts.

Line Viper granted the threat actors extensive access to the victim’s Firepower device, including administrative credentials, certificates, and private keys. While CISA has not publicly identified the nation-state actors responsible for the attack, sources suggest that the campaign aligns with interests attributed to Chinese state-sponsored groups.

Collaborative Efforts and New Guidance

In response to the ongoing threats, CISA released new advisories in collaboration with the United Kingdom’s National Cyber Security Centre (NCSC). The two agencies issued a joint notice regarding Chinese government-linked threat actors utilizing covert networks of compromised devices. This advisory highlighted tactics employed by groups such as Volt Typhoon and Flax Typhoon, which have been previously linked to attacks on U.S. government and critical infrastructure.

Cisco has conducted a thorough analysis of the vulnerabilities CVE-2025-30333 and CVE-2025-20362, asserting a high level of confidence that the campaign is connected to the same threat actors responsible for the ArcaneDoor campaign, uncovered in 2024. Cisco has characterized these attacks as part of a broader initiative by state-sponsored threat actors.

CISA’s advisories outline mandatory actions for all federal civilian agencies in light of the latest campaign against Cisco firewall devices. Each agency must submit detailed information regarding their systems, and if a compromise is confirmed, CISA will provide further instructions, which may include directives to physically disconnect devices to eliminate FIRESTARTER’s persistence.

Agencies are required to confirm the completion of malware checks by midnight on Friday, and by May 1, they must provide an inventory of Cisco Firepower devices. CISA plans to deliver a report on the campaign to the National Cyber Director and other White House officials by August 1. The agency has emphasized that the initial actions outlined in the September advisory are insufficient to fully eradicate the malware or eliminate the threat actors from compromised systems.

CISA has cautioned organizations to refrain from disconnecting devices unless explicitly instructed to do so. The agency has also provided guidance on how organizations can determine if they are infected with FIRESTARTER malware.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-04-24 09:44:00 • By the Editorial Desk