Attackers Breach US Agency via Cisco Firepower and Secure Firewall Devices, Distribute Firestarter Malware
Published
Key Takeaways
- Persistent threat access: A critical US agency breach occurred via a Cisco vulnerability, enabling attackers to maintain unauthorized network access for months.
- Malware deployment tactics: Threat actors utilized FIRESTARTER malware and Line Viper to bypass VPN authentication and harvest administrative credentials.
- Federal mitigation mandate: CISA issued updated directives requiring civilian agencies to investigate compromised Cisco firewalls to mitigate severe cybersecurity threats.
A U.S. agency was breached due to a critical Cisco vulnerability in Firepower and Secure Firewall devices. Sophisticated threat actors compromised an unnamed federal department's network by exploiting specific flaws within Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software systems, the Cybersecurity and Infrastructure Security Agency (CISA) has warned.
CISA assesses, but has not confirmed, that advanced persistent threat (APT) actors obtained initial access in likely September 2025 by exploiting the remote code execution (RCE) flaw CVE-2025-20333 and/or the CVE-2025-20362 privilege escalation flaw, which were added to the Known Exploited Vulnerabilities (KEV) Catalog the same month.
FIRESTARTER Malware, Line Viper Deployment
During active forensic engagements, CISA discovered that the attackers deployed a custom software implant identified as the FIRESTARTER malware. This sophisticated backdoor mechanism allowed the threat actors to maintain persistent access on the compromised firewall hardware.
Consequently, the attackers successfully regained access to the network in March 2026 without needing to re-exploit the original software flaws. CISA warned that even if network administrators applied the necessary security patches, the infrastructure remained compromised if the FIRESTARTER malware was already present on the device.
The attackers also deployed Line Viper, a secondary malware strain engineered to establish illegitimate virtual private network (VPN) sessions. Line Viper granted them comprehensive access to the Firepower device telemetry, which included administrative credentials, private encryption keys, and security certificates.
Cisco-Related Cybersecurity Threats
To mitigate these escalating cybersecurity threats, CISA, in coordination with international partners, has mandated specific forensic checks for all federal civilian agencies. Standard patching procedures are insufficient to eradicate this persistent threat.
Federal organizations must now provide a comprehensive inventory of their Cisco Firepower devices and perform mandated security validations to ensure the complete removal of unauthorized access vectors.
The report mentions that CISA may instruct organizations reporting infections to physically unplug the device from power to remove FIRESTARTER’s persistence if a compromise is confirmed.
A guide to identifying and mitigating potential compromises of Cisco Devices is available. Organizations can also refer to Cisco’s security advisory and the Talos report on UAT-4356 targeting Cisco Firepower devices.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular