Federal civilian executive branch agency hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A federal civilian executive branch agency was compromised in an early September 2025 intrusion that left attackers with persistent access on Cisco Firepower and Secure Firewall devices. The intrusion involved Line Viper as the initial loader and Firestarter as the backdoor that kept access alive after patching. Attackers are believed to have entered through CVE-2025-20333 and/or CVE-2025-20362. The compromise matters because Firestarter can survive reboots, firmware updates, and security patches, making remediation harder and prolonging exposure.
Related Happenings
CISA sets June 28 patch deadline for Cisco Unified Communications Manager Server
Public Sector Action
H score35
First: 26.06.2026 22:43
Last: 26.06.2026 22:43
Sources 1
About this happening:
CISA ordered **federal agencies** to patch **CVE-2026-20230** in **Cisco Unified Communications Manager Server** by **June 28**, tightening exposure around an **actively exploited...
CISA sets June 28 patch deadline for Cisco Unified Communications Manager Server
Public Sector ActionAbout this happening: CISA ordered **federal agencies** to patch **CVE-2026-20230** in **Cisco Unified Communications Manager Server** by **June 28**, tightening exposure around an **actively exploited...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector Action
H score33
First: 08.05.2026 10:45
Last: 08.05.2026 10:45
Sources 1
About this happening:
**CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector ActionAbout this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector Action
H score64
First: 07.05.2026 13:57
Last: 07.05.2026 13:57
Sources 1
About this happening:
**CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
H score88
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
H score33
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
How related:
Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityHow related: Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
Timeline
-
24.04.2026 23:34 2 articles · 2mo ago
Firestarter disclosure on Cisco firewall devices
Initial DisclosureU.S. and U.K. cybersecurity agencies warned that the Firestarter backdoor persists on Cisco Firepower and Secure Firewall devices running ASA or FTD software, and attributed the activity to UAT-4356, a threat actor linked to ArcaneDoor. The agencies said the adversary likely obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362, and Cisco issued mitigations, workarounds, and indicators of compromise alongside guidance to reimage or upgrade affected devices.
Show sources
- Firestarter malware survives Cisco firewall updates, security patches — www.bleepingcomputer.com — 24.04.2026 23:34
- Firestarter malware survives Cisco firewall updates, security patches — www.bleepingcomputer.com — 24.04.2026 23:34