CISA: US Agency Breached via Cisco Vulnerability, FIRESTARTER Malware Enables Ongoing Access
In September, a U.S. government agency fell victim to a sophisticated cyberattack, exploiting vulnerabilities in Cisco firewalls. The breach was confirmed by the Cybersecurity and Infrastructure Security Agency (CISA), which reported that the unnamed department was compromised by malware known as “FIRESTARTER.” This malware allowed attackers to maintain access to the Cisco device without needing to re-exploit the original vulnerabilities.
CISA issued an advisory detailing the FIRESTARTER malware and an updated directive mandating federal civilian agencies to undertake specific actions to identify potential infections. The agency had initially alerted all federal entities in September to patch two critical vulnerabilities—CVE-2025-30333 and CVE-2025-20362—affecting Cisco Adaptive Security Appliances (ASA).
Ongoing Threats and Malware Persistence
CISA’s recent advisory revisions were prompted by updated cyber threat intelligence indicating that threat actors were retaining persistent access to Cisco Firepower and Secure Firewall products equipped with ASA or Firepower Threat Defense (FTD) software. The ASA product line is widely utilized by government agencies and large enterprises due to its ability to consolidate multiple security functions into a single appliance, including firewall capabilities, intrusion prevention, spam filtering, and antivirus checks.
Through its continuous monitoring program, CISA identified suspicious connections on a Cisco Firepower device belonging to a U.S. Federal Civilian Executive Branch (FCEB) agency. Following this discovery, CISA engaged in a forensic investigation, during which they confirmed the presence of FIRESTARTER on the compromised device.
Additionally, the attackers deployed another malware strain known as Line Viper, which established unauthorized virtual private network (VPN) sessions that circumvented existing VPN authentication protocols. This combination of malware enabled the hackers to regain access to the compromised device without needing to exploit the original vulnerabilities again, with indications of continued access into March 2026.
Vulnerability and Exploitation Timeline
Devices compromised before the vulnerabilities were patched remain at risk due to the presence of FIRESTARTER. According to CISA, the malware was deployed on the affected Cisco device prior to September 25, 2025, although the exact date of infection remains undetermined. The attackers also exploited federal accounts that were inactive within the agency, further complicating detection and response efforts.
Line Viper provided the threat actors with extensive access to the victim’s Firepower device, including administrative credentials, certificates, and private keys. While CISA has not publicly identified the nation-state actors behind the attack, sources have suggested that the campaign aligns with interests attributed to Chinese state-sponsored groups.
Collaborative Efforts and New Guidance
In response to the ongoing threats, CISA released new advisories in collaboration with the United Kingdom’s National Cyber Security Centre (NCSC). The two agencies also issued a joint notice regarding Chinese government-linked threat actors utilizing covert networks of compromised devices. This advisory highlighted tactics employed by groups such as Volt Typhoon and Flax Typhoon, which have been previously linked to attacks on U.S. government and critical infrastructure.
Cisco has conducted a comprehensive analysis of the vulnerabilities CVE-2025-30333 and CVE-2025-20362, asserting a high confidence that the campaign is connected to the same threat actors responsible for the ArcaneDoor campaign, which was uncovered in 2024. Cisco has characterized these attacks as part of a broader initiative by state-sponsored threat actors.
CISA’s advisories outline a series of mandatory actions for all federal civilian agencies in light of the latest campaign against Cisco firewall devices. Each agency must submit detailed information regarding their systems, and if a compromise is confirmed, CISA will provide further instructions, which may include directives to physically disconnect devices to eliminate FIRESTARTER’s persistence.
Agencies are required to confirm the completion of malware checks by midnight on Friday, and by May 1, they must provide an inventory of Cisco Firepower devices. CISA plans to deliver a report on the campaign to the National Cyber Director and other White House officials by August 1. The agency has repeatedly emphasized that the initial actions outlined in the September advisory are insufficient to fully eradicate the malware or eliminate the threat actors from compromised systems.
CISA has cautioned that organizations should refrain from disconnecting devices unless explicitly instructed to do so. Furthermore, the agency has provided guidance on how organizations can determine if they are infected with FIRESTARTER malware.
For more information on the ongoing cybersecurity landscape and the implications of these developments, refer to the detailed report by CISA.
Source: therecord.media
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
