CISA warns Cisco firewall backdoor survives patching after federal agency breach
CISA disclosed that an unnamed U.S. federal civilian agency was breached through Cisco firewall vulnerabilities CVE-2025-20333 and CVE-2025-20362, and investigators later found the FIRESTARTER backdoor and Line Viper malware on the affected devices. Authorities said the attackers, linked by Cisco Talos and allied agencies to UAT-4356 and the earlier ArcaneDoor activity, maintained persistence on Cisco ASA and Firepower/FTD systems even after patches were applied, regained access months later without re-exploiting the original flaws, and used crafted VPN authentication-related requests to execute code and enable unauthorized VPN sessions that bypassed authentication controls.
CISA, the U.K. National Cyber Security Centre, and other partners warned that patching alone may not evict the threat because FIRESTARTER can survive standard reboots and, in some cases, firmware updates if the device was compromised before remediation. The updated federal directive requires agencies to audit Cisco firewall infrastructure and submit memory snapshots, while Cisco and CISA urged stronger recovery steps such as hard reboots and reimaging where compromise is suspected. The disclosure came alongside a broader allied advisory that China-linked groups including Volt Typhoon and Flax Typhoon are increasingly using large covert proxy networks built from compromised SOHO routers and IoT devices—such as the Raptor Train and KV Botnet infrastructure—to hide intrusions, support espionage, and blunt traditional IP-based blocking defenses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA updates directive after finding Firestarter on federal Cisco device
On the same day, CISA disclosed finding FIRESTARTER on a Cisco Firepower device at a U.S. federal agency and updated its advisory and emergency directive. Federal agencies were told to perform additional checks such as auditing Cisco firewall infrastructure and submitting memory snapshots because standard patching and firmware updates may not evict the threat.
CISA, NCSC and partners warn on China-linked covert proxy networks
CISA, the U.K. NCSC, and multiple allied agencies issued a joint advisory warning that China-nexus actors are building large-scale covert networks from compromised SOHO routers and IoT devices. The advisory cited infrastructure used by groups including Volt Typhoon and Flax Typhoon and recommended layered defenses and active hunting.
Attackers regain access to breached Cisco device using FIRESTARTER
In March 2026, attackers used the FIRESTARTER backdoor to re-enter the previously compromised Cisco device without re-exploiting the original vulnerabilities. CISA also found a second malware strain, Line Viper, that enabled unauthorized VPN sessions bypassing authentication controls.
U.S. federal agency breached via Cisco firewall vulnerabilities
An unnamed U.S. federal civilian executive branch agency was compromised in September 2025 through vulnerabilities in Cisco firewall products. The intrusion was later associated with the same state-sponsored activity cluster previously linked to ArcaneDoor and tracked as UAT-4356.
Cisco patches firewall flaws later tied to Firestarter intrusions
Cisco released patches in September 2025 for CVE-2025-20333 and CVE-2025-20362 affecting ASA and Firepower/FTD devices. CISA later warned that devices compromised before patching could remain infected because patching alone would not remove the malware.
FBI disrupts Raptor Train botnet tied to Flax Typhoon
The U.S. Department of Justice announced a court-authorized operation that disrupted a worldwide botnet of more than 200,000 compromised consumer devices. The botnet was attributed to Beijing-based Integrity Technology Group and linked by the FBI to PRC state-sponsored activity tracked as Flax Typhoon.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
thehackernews.com
Open sourceUS, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied | CyberScoop
cyberscoop.com
Open sourceA dozen allied agencies say China is building covert hacker networks out of everyday routers | CyberScoop
cyberscoop.com
Open sourceDefending Against China-Nexus Covert Networks of Compromised Devices | CISA
cisa.gov
Open sourceUK warns of Chinese hackers using proxy networks to evade detection
bleepingcomputer.com
Open sourceChina-linked crews turn routers into covert attack proxies • The Register
go.theregister.com
Open sourceCISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March | The Record from Recorded Future News
therecord.media
Open sourceOffice of Public Affairs | Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Firestarter Backdoor Persists on Cisco Firewalls After Patching
U.S. and U.K. cybersecurity agencies warned that a previously undisclosed backdoor dubbed **Firestarter** compromised at least one unnamed U.S. Federal Civilian Executive Branch agency and may be part of a broader campaign targeting government and critical national infrastructure networks. The malware affects Cisco Secure Firewall devices running **ASA** or **FTD** software, and Cisco Talos linked the activity to threat cluster **UAT-4356**, which is assessed as likely government-backed. Investigators said the actor likely gained initial access by exploiting **`CVE-2025-20333`** and/or **`CVE-2025-20362`**, then deployed the **Line Viper** shellcode loader before installing Firestarter. Firestarter is notable for maintaining persistence even after reboots, firmware upgrades, and security patches by hooking into Cisco’s **LINA** process, altering boot and mount behavior, and relaunching if terminated. CISA, the UK **NCSC**, and Cisco published indicators of compromise, YARA-based memory analysis guidance, and mitigation advice, warning that software updates alone may not remove the implant. Cisco strongly recommended reimaging affected devices and upgrading to fixed releases, while authorities urged organizations to collect forensic evidence and report suspected compromises.
May 8, 2026
Cisco ASA Zero-Days in ArcaneDoor Trigger U.S. Government Scrutiny
Cisco is facing U.S. government scrutiny after critical zero-day flaws in **ASA** and **Firepower Threat Defense** devices were tied to the **ArcaneDoor** espionage campaign and deemed an unacceptable risk to federal networks. CISA and the U.K. National Cyber Security Centre linked the activity to `CVE-2025-20333` and `CVE-2025-20362`, while earlier federal action had already added related Cisco flaws `CVE-2024-20353` and `CVE-2024-20359` to the Known Exploited Vulnerabilities catalog after active exploitation. Cisco said the campaign targeted a small set of customers, using the **Line Runner** and **Line Dancer** backdoors for reconnaissance, configuration changes, traffic capture, exfiltration, and possible lateral movement; external reporting and infrastructure analysis pointed to a likely China-aligned espionage actor, and internet scans suggested tens of thousands of Cisco firewall devices were exposed. The incident has drawn political attention in Washington, with Sen. Bill Cassidy seeking answers from Cisco on customer impact, breach notifications, and communications with federal agencies after reports that at least one federal agency may have been compromised. The response echoes earlier federal emergency actions over perimeter-device exploitation, including the 2021 campaign in which suspected Chinese hackers used **Pulse Secure** VPN vulnerabilities to breach multiple U.S. agencies, critical infrastructure entities, and private-sector organizations, deploying webshells and bypassing passwords and multifactor authentication. Together, the cases underscore continuing risk from internet-facing security appliances that can provide long-term access for state-backed espionage when zero-days remain unpatched.
May 25, 2026
Exploitation of Cisco ASA Firewall Vulnerabilities Leading to Federal Agency Breach and Senate Scrutiny
US Senator Bill Cassidy has demanded answers from Cisco regarding critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, specifically CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by threat actors. The senator's letter to Cisco CEO Chuck Robbins follows reports that at least one federal agency was breached as a direct result of these flaws, though Cisco has not publicly confirmed the breach. The vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring all federal civilian agencies to identify affected devices, review logs for signs of compromise, and apply Cisco's patches within 24 hours. Devices that had reached end of support were ordered to be removed from service entirely. Cisco acknowledged that exploitation of these vulnerabilities had been ongoing since at least May, when government incident responders involved Cisco in investigations of compromised ASA 5500-X firewalls. Attackers were observed deploying implants, executing commands, and exfiltrating data from affected systems well before the vulnerabilities were publicly disclosed. The exploitation campaign, known as ArcaneDoor, was attributed by Cisco to a Chinese-linked threat group identified as UAT4356, which has targeted government systems globally since November 2023. Senator Cassidy's letter raises concerns about Cisco's transparency regarding the impact of these vulnerabilities on both government and private sector customers. He questioned whether Cisco has identified specific threats to its customers, how it communicates security issues, and whether CISA's guidance to federal agencies is also being provided to private organizations. The senator emphasized the critical role Cisco plays in national infrastructure, noting that vulnerabilities in its products could jeopardize access to essential services for millions of Americans. Cisco has not responded to media requests for comment on the senator's inquiries or the reported breach. The emergency directive from CISA underscores the severity of the risk, highlighting the widespread use of ASA appliances in both government and large enterprise environments. The incident has drawn attention to the need for rapid patching and clear communication from vendors when critical vulnerabilities are discovered. Security agencies in both the US and UK have issued urgent advisories, warning of active exploitation and the necessity for immediate remediation. The ongoing investigation seeks to determine the full scope of the compromise and whether additional agencies or organizations have been affected. The situation has reignited debate over the security of widely deployed network infrastructure and the responsibilities of vendors in managing and disclosing vulnerabilities. The case also illustrates the persistent threat posed by sophisticated state-linked actors targeting critical government systems. As the response continues, both public and private sector organizations are urged to review their exposure and ensure all relevant patches are applied without delay.
Mar 21, 2026