U.S. Government Agency Breached via Cisco Firewall Vulnerabilities, Persistent Malware Detected
In September 2025, a U.S. federal agency was compromised by sophisticated hackers exploiting vulnerabilities in Cisco Adaptive Security Appliances (ASA). The Cybersecurity and Infrastructure Security Agency (CISA) revealed that attackers deployed FIRESTARTER, a malware strain allowing persistent access to compromised Cisco Firepower devices without re-exploiting the original flaws.
The breach was discovered through CISA’s continuous monitoring, which detected suspicious connections on an agency’s Cisco Firepower device running ASA software. Forensic analysis uncovered FIRESTARTER, installed before September 25, 2025, enabling hackers to regain access in March 2026. Additionally, attackers used Line Viper, a secondary malware, to establish unauthorized VPN sessions, bypass authentication, and extract administrative credentials, certificates, and private keys.
The vulnerabilities CVE-2025-30333 and CVE-2025-20362 were first flagged by CISA in September 2025, with federal agencies ordered to patch them. However, CISA later confirmed that patched systems remained vulnerable due to FIRESTARTER’s persistence mechanism. The agency also noted that attackers exploited dormant federal accounts to maintain access.
While CISA has not attributed the attack, reports suggest alignment with China-linked state interests, consistent with previous campaigns like ArcaneDoor (2024). Cisco’s analysis supports this assessment, linking the activity to the same threat actors.
In response, CISA issued updated directives requiring federal agencies to:
- Conduct malware checks by May 1, 2026, with initial confirmations due by midnight on Friday.
- Submit an inventory of all Cisco Firepower devices by May 1.
- Follow CISA’s guidance for physical disconnection of infected devices if necessary.
CISA emphasized that standard patching is insufficient to remove FIRESTARTER, warning agencies to avoid unplugging devices without explicit instructions. The agency will compile a report on the campaign for the National Cyber Director and White House by August 1, 2026.
The incident underscores the risks of persistent malware in critical security infrastructure, particularly in widely used Cisco ASA and Firepower Threat Defense (FTD) systems.
Source: https://therecord.media/cisa-us-agency-breached-cisco-vulnerability-backdoor
U.S. Department of Homeland Security cybersecurity rating report: https://www.rankiteo.com/company/us-department-of-homeland-security
"id": "US-1776976007",
"linkid": "us-department-of-homeland-security",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. federal agency (unnamed)',
'size': 'Large',
'type': 'Government'}],
'attack_vector': 'Exploitation of Cisco ASA vulnerabilities (CVE-2025-30333, '
'CVE-2025-20362), Dormant federal accounts',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Administrative credentials',
'Certificates',
'Private keys']},
'date_detected': '2025-09-01',
'date_publicly_disclosed': '2026-04-01',
'description': 'In September 2025, a U.S. federal agency was compromised by '
'sophisticated hackers exploiting vulnerabilities in Cisco '
'Adaptive Security Appliances (ASA). The Cybersecurity and '
'Infrastructure Security Agency (CISA) revealed that attackers '
'deployed FIRESTARTER, a malware strain allowing persistent '
'access to compromised Cisco Firepower devices without '
're-exploiting the original flaws. The breach was discovered '
'through CISA’s continuous monitoring, which detected '
'suspicious connections on an agency’s Cisco Firepower device '
'running ASA software. Forensic analysis uncovered '
'FIRESTARTER, installed before September 25, 2025, enabling '
'hackers to regain access in March 2026. Attackers also used '
'Line Viper, a secondary malware, to establish unauthorized '
'VPN sessions, bypass authentication, and extract '
'administrative credentials, certificates, and private keys.',
'impact': {'brand_reputation_impact': 'High (U.S. federal agency)',
'data_compromised': 'Administrative credentials, certificates, '
'private keys',
'identity_theft_risk': 'High (credentials and PII exposure)',
'operational_impact': 'Unauthorized VPN sessions, bypassed '
'authentication, persistent access',
'systems_affected': 'Cisco Firepower devices running ASA software'},
'initial_access_broker': {'backdoors_established': 'FIRESTARTER, Line Viper',
'entry_point': 'Cisco ASA vulnerabilities '
'(CVE-2025-30333, CVE-2025-20362)',
'high_value_targets': 'Administrative credentials, '
'certificates, private keys'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Standard patching is insufficient for persistent malware '
'like FIRESTARTER; dormant accounts pose significant '
'risks; continuous monitoring is critical for detecting '
'advanced threats.',
'motivation': 'Cyber espionage, Persistent access',
'post_incident_analysis': {'corrective_actions': ['Mandatory malware checks '
'and inventory submission',
'Enhanced monitoring and '
'forensic analysis',
'Removal of dormant '
'accounts',
'Compliance with CISA’s '
'updated directives'],
'root_causes': ['Exploitation of unpatched Cisco '
'ASA vulnerabilities',
'Persistent malware (FIRESTARTER) '
'allowing re-entry without '
're-exploitation',
'Use of dormant federal accounts '
'for unauthorized access']},
'recommendations': ['Conduct malware checks on all Cisco Firepower devices by '
'May 1, 2026',
'Submit inventory of Cisco Firepower devices to CISA by '
'May 1, 2026',
'Follow CISA’s guidance for physical disconnection of '
'infected devices if necessary',
'Remove dormant federal accounts to prevent unauthorized '
'access',
'Enhance monitoring and forensic analysis capabilities'],
'references': [{'date_accessed': '2026-04-01',
'source': 'Cybersecurity and Infrastructure Security Agency '
'(CISA)'},
{'date_accessed': '2026-04-01', 'source': 'Cisco'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA directives to '
'federal agencies'},
'response': {'communication_strategy': 'CISA directives, advisories to '
'federal agencies',
'containment_measures': 'Malware checks, inventory submission, '
'physical disconnection of infected '
'devices (if necessary)',
'enhanced_monitoring': 'Yes',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Forensic analysis, CISA guidance '
'compliance',
'remediation_measures': 'Patch management, enhanced monitoring, '
'removal of dormant accounts',
'third_party_assistance': 'CISA, Cisco'},
'stakeholder_advisories': 'CISA directives to federal agencies, guidance for '
'malware checks and device inventory',
'threat_actor': 'China-linked state-sponsored (suspected)',
'title': 'U.S. Government Agency Breached via Cisco Firewall Vulnerabilities, '
'Persistent Malware Detected',
'type': 'Data Breach, Persistent Malware, Unauthorized Access',
'vulnerability_exploited': ['CVE-2025-30333', 'CVE-2025-20362']}