Federal civilian executive branch agency hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A federal civilian executive branch agency was compromised in an early September 2025 intrusion that left attackers with persistent access on Cisco Firepower and Secure Firewall devices. The intrusion involved Line Viper as the initial loader and Firestarter as the backdoor that kept access alive after patching. Attackers are believed to have entered through CVE-2025-20333 and/or CVE-2025-20362. The compromise matters because Firestarter can survive reboots, firmware updates, and security patches, making remediation harder and prolonging exposure.
Related Happenings
CISA KEV order for Copy Fail on federal Linux devices
Public Sector Action
First: 08.05.2026 10:45
Last: 08.05.2026 10:45
Sources 1
About this happening:
**CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector ActionAbout this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector Action
First: 07.05.2026 13:57
Last: 07.05.2026 13:57
Sources 1
About this happening:
**CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
How related:
Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityHow related: Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
Timeline
-
24.04.2026 23:34 2 articles · 1mo ago
Firestarter disclosure on Cisco firewall devices
Initial DisclosureU.S. and U.K. cybersecurity agencies warned that the Firestarter backdoor persists on Cisco Firepower and Secure Firewall devices running ASA or FTD software, and attributed the activity to UAT-4356, a threat actor linked to ArcaneDoor. The agencies said the adversary likely obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362, and Cisco issued mitigations, workarounds, and indicators of compromise alongside guidance to reimage or upgrade affected devices.
Show sources
- Firestarter malware survives Cisco firewall updates, security patches — www.bleepingcomputer.com — 24.04.2026 23:34
- Firestarter malware survives Cisco firewall updates, security patches — www.bleepingcomputer.com — 24.04.2026 23:34