CISA Confirms US Agency Breach via Cisco Vulnerability, FIRESTARTER Malware Maintains Persistent Access
In September, a U.S. government agency experienced a significant cyberattack that exploited vulnerabilities in Cisco firewalls. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the unnamed department was compromised by malware identified as “FIRESTARTER.” This malware enabled attackers to maintain access to the Cisco device without needing to re-exploit the original vulnerabilities.
CISA subsequently issued an advisory detailing the FIRESTARTER malware and mandated federal civilian agencies to take specific actions to identify potential infections. Initially, the agency had alerted all federal entities in September to patch two critical vulnerabilities—CVE-2025-30333 and CVE-2025-20362—affecting Cisco Adaptive Security Appliances (ASA).
Ongoing Threats and Malware Persistence
CISA’s recent advisory updates were driven by new cyber threat intelligence indicating that threat actors were retaining persistent access to Cisco Firepower and Secure Firewall products equipped with ASA or Firepower Threat Defense (FTD) software. The ASA product line is widely used by government agencies and large enterprises due to its capability to consolidate multiple security functions into a single appliance, including firewall capabilities, intrusion prevention, spam filtering, and antivirus checks.
Through its continuous monitoring program, CISA identified suspicious connections on a Cisco Firepower device belonging to a U.S. Federal Civilian Executive Branch (FCEB) agency. Following this discovery, CISA conducted a forensic investigation, confirming the presence of FIRESTARTER on the compromised device.
Additionally, the attackers deployed another strain of malware known as Line Viper, which established unauthorized virtual private network (VPN) sessions that bypassed existing VPN authentication protocols. This combination of malware allowed the hackers to regain access to the compromised device without needing to exploit the original vulnerabilities again, with indications of continued access into March 2026.
Vulnerability and Exploitation Timeline
Devices that were compromised before the vulnerabilities were patched remain at risk due to the presence of FIRESTARTER. According to CISA, the malware was deployed on the affected Cisco device prior to September 25, 2025, although the exact date of infection is still undetermined. The attackers also exploited federal accounts that were inactive within the agency, complicating detection and response efforts.
Line Viper granted the threat actors extensive access to the victim’s Firepower device, including administrative credentials, certificates, and private keys. While CISA has not publicly identified the nation-state actors behind the attack, sources suggest that the campaign aligns with interests attributed to Chinese state-sponsored groups.
Collaborative Efforts and New Guidance
In response to the ongoing threats, CISA released new advisories in collaboration with the United Kingdom’s National Cyber Security Centre (NCSC). The two agencies also issued a joint notice regarding Chinese government-linked threat actors utilizing covert networks of compromised devices. This advisory highlighted tactics employed by groups such as Volt Typhoon and Flax Typhoon, previously linked to attacks on U.S. government and critical infrastructure.
Cisco conducted a comprehensive analysis of the vulnerabilities CVE-2025-30333 and CVE-2025-20362, asserting a high confidence that the campaign is connected to the same threat actors responsible for the ArcaneDoor campaign, uncovered in 2024. Cisco characterized these attacks as part of a broader initiative by state-sponsored threat actors.
CISA’s advisories outline a series of mandatory actions for all federal civilian agencies in light of the latest campaign against Cisco firewall devices. Each agency must submit detailed information regarding their systems, and if a compromise is confirmed, CISA will provide further instructions, which may include directives to physically disconnect devices to eliminate FIRESTARTER’s persistence.
Agencies are required to confirm the completion of malware checks by midnight on Friday, and by May 1, they must provide an inventory of Cisco Firepower devices. CISA plans to deliver a report on the campaign to the National Cyber Director and other White House officials by August 1. The agency has emphasized that the initial actions outlined in the September advisory are insufficient to fully eradicate the malware or eliminate the threat actors from compromised systems.
CISA has cautioned that organizations should refrain from disconnecting devices unless explicitly instructed to do so. Furthermore, the agency has provided guidance on how organizations can determine if they are infected with FIRESTARTER malware.
For more information on the ongoing cybersecurity landscape and the implications of these developments, refer to the detailed report by CISA, as reported by cyberwarriorsmiddleeast.com.
Explore the latest digital editions of FAME Delivered in the Magazine section.
Published on 2026-04-24 09:44:00 • By FAME Delivered News Desk
