CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March

A U.S. agency was breached by sophisticated hackers in September through a vulnerability in Cisco firewalls.

The Cybersecurity and Infrastructure Security Agency (CISA) said the unnamed department was infected with malware called “FIRESTARTER” that allowed the hackers to return to the Cisco device in March without re-exploiting the original vulnerabilities.

CISA published an advisory on the FIRESTARTER malware and an updated directive ordering federal civilian agencies to take specific actions to check for infection. 

CISA first warned of the issues in September, when it ordered all agencies to patch CVE-2025-30333 and CVE-2025-20362 — two vulnerabilities impacting Cisco Adaptive Security Appliances (ASA).

CISA said it was releasing revisions to the advisory on Thursday “in response to updated cyber threat intelligence concerning threat actors retaining persistence and continued unauthorized access to Cisco Firepower and Secure Firewall products with Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.”

ASA is a popular product line among governments and large businesses because it consolidates several different security tasks into a single appliance. In addition to being firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more.

CISA explained that through its continuous monitoring program, they “identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software.”

“CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement,” CISA said on Thursday. “During the engagement, CISA discovered one malware sample — named FIRESTARTER — on the Firepower device.”

CISA added that the hackers deployed another strain of malware called Line Viper that established illegitimate virtual private network (VPN) sessions that bypassed all VPN authentication policies. 

FIRESTARTER was used as a way to keep their access to the compromised device, allowing the hackers to “regain access without re-exploiting the original vulnerabilities” in March 2026.

Devices that were compromised before defenders patched CVE-2025-20333 and CVE-2025-20362 are still vulnerable because of FIRESTARTER. CISA said FIRESTARTER was deployed on the exploited Cisco device before September 25, 2025 but the exact date is unknown. 

The attackers also used federal accounts that “existed but were no longer active within the agency.”

Line Viper enabled the threat actors to access everything on a victim’s Firepower device, including administrative credentials, certificates and private keys. 

CISA declined to say in September and again on Thursday which country’s hackers are exploiting the bugs. Wired, which first reported on the campaign two years ago, said sources told them it “appears to be aligned with China's state interests.”

New guidance

CISA published the new advisories about the Cisco bugs alongside the United Kingdom National Cyber Security Centre (NCSC). 

The two agencies also partnered on another notice on Thursday about Chinese government-linked threat actors’ using covert networks of compromised devices. That advisory specifically discusses tactics used by Volt Typhoon and Flax Typhoon — two Chinese groups previously identified for their attacks on the U.S. government and critical infrastructure. 

In September, Cisco published a lengthy study on CVE-2025-20333 and CVE-2025-20362, assessing with high confidence that the campaign is tied to the same hackers behind the ArcaneDoor campaign discovered in 2024. Cisco previously said the ArcaneDoor attacks were part of a campaign by state-sponsored threat actors. 

CISA’s advisories include multiple tasks all federal civilian agencies must take in light of the latest campaign against Cisco firewall devices. 

Every federal agency will submit troves of new information, and if a compromise is confirmed CISA will send further instructions that may include “instructions to physically unplug the device from power to remove FIRESTARTER’s persistence.”

Federal agencies have to submit confirmation of the malware checks by midnight on Friday and by May 1, all agencies will have to provide an inventory of Cisco Firepower devices. CISA will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1. 

They repeatedly warned that the original actions outlined in September advisory are not enough to either remove the malware or remove the hackers entirely from a compromised system. 

“Agencies who have completed the security update requirements are still susceptible to persistence and therefore must complete the updated required actions within this V1 ED,” they said. 

“Organizations should not unplug the device unless directed to do so by CISA.”

CISA also provided information on how any organization can check if they are infected with the FIRESTARTER malware.