## U.S. Agency Breached via Cisco Firewall Vulnerabilities: 'FIRESTARTER' Malware Enables Persistent Access A U.S. federal agency was compromised in September by sophisticated hackers exploiting vulnerabilities in **Cisco** firewalls. The attackers deployed a malware strain dubbed 'FIRESTARTER' to maintain persistent access, even after the initial vulnerabilities were patched. The **Cybersecurity and Infrastructure Security Agency (CISA)** revealed that the unnamed department was infected with “FIRESTARTER” malware, allowing the attackers to regain access to the **Cisco** device in March without re-exploiting the original flaws. ### CISA's Response **CISA** has issued an advisory concerning the FIRESTARTER malware and an updated directive mandating specific actions for federal civilian agencies to detect and mitigate potential infections. This follows an initial warning in September regarding **CVE-2025-20333** and **CVE-2025-20362**, two vulnerabilities affecting **Cisco Adaptive Security Appliances (ASA)**. **CISA** stated the revisions to the advisory were prompted by updated cyber threat intelligence indicating that threat actors were maintaining persistence and unauthorized access to **Cisco Firepower** and **Secure Firewall** products running **ASA** or **Firepower Threat Defense (FTD)** software. ### ASA: A Prime Target **ASA** is widely used by governments and large enterprises because it consolidates several security functions into a single appliance, including firewall, intrusion prevention, spam filtering, and antivirus checks. **CISA**, through its continuous monitoring program, detected suspicious connections on a U.S. FCEB agency’s **Cisco Firepower** device running **ASA** software. A forensic investigation led to the discovery of the FIRESTARTER malware. ### FIRESTARTER and Line Viper Malware In addition to FIRESTARTER, the attackers deployed another malware strain called Line Viper, which established illegitimate virtual private network (VPN) sessions, bypassing VPN authentication policies. FIRESTARTER served as a means to maintain access to the compromised device, enabling the hackers to “regain access without re-exploiting the original vulnerabilities” in March 2026. Devices compromised before patches for CVE-2025-20333 and CVE-2025-20362 were applied remain vulnerable due to FIRESTARTER. The deployment of FIRESTARTER occurred before September 25, 2025, but the exact date remains unknown. The attackers also leveraged federal accounts that were no longer active within the agency. Line Viper granted the threat actors access to everything on the victim’s Firepower device, including administrative credentials, certificates, and private keys. ### Attribution and Collaboration While **CISA** has not publicly attributed the attacks to a specific country, reports suggest a potential link to Chinese state interests. **CISA** collaborated with the **United Kingdom National Cyber Security Centre (NCSC)** on these advisories. They also jointly issued another notice regarding Chinese government-linked threat actors utilizing covert networks of compromised devices, specifically mentioning tactics used by Volt Typhoon and Flax Typhoon, two groups previously identified for targeting the U.S. government and critical infrastructure. ### Cisco's Assessment In September, **Cisco** published a detailed analysis of CVE-2025-20333 and CVE-2025-20362, confidently linking the campaign to the same actors behind the ArcaneDoor campaign discovered in 2024, which **Cisco** attributed to state-sponsored threat actors. ### Required Actions for Federal Agencies **CISA**'s advisories outline several mandatory actions for all federal civilian agencies in response to the ongoing campaign against **Cisco** firewall devices. These include submitting detailed information about their systems. Confirmed compromises will trigger further instructions from **CISA**, potentially including physically disconnecting devices to remove FIRESTARTER's persistence. Federal agencies must confirm completion of malware checks by a certain deadline, and provide an inventory of **Cisco Firepower** devices by May 1. **CISA** will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1. **CISA** emphasizes that the initial actions outlined in the September advisory are insufficient to fully remove the malware or the attackers from compromised systems. Agencies that have already applied security updates must still complete the updated required actions. Organizations are cautioned against unplugging devices unless specifically instructed to do so by **CISA**. **CISA** has also provided guidance on how any organization can check for FIRESTARTER infections. html <a rel="noopener" href="https://www.recordedfuture.com/?utm_source=therecord&amp;utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a>