The Cybersecurity and Infrastructure Security Agency (CISA) issued an updated emergency directive on April 24, 2026, following the discovery of a sophisticated backdoor on at least one U.S. federal agency's network. The malware, identified as Firestarter, was found embedded in Cisco Firepower and Secure Firewall devices, marking a significant escalation in a long-running espionage campaign attributed to China-linked threat actors. According to a joint advisory from CISA and the United Kingdom’s National Cyber Security Centre (NCSC), the backdoor is designed to maintain persistent access even after security patches and firmware updates have been applied.
Technical analysis reveals that Firestarter operates by hooking into the Lina process, the core engine responsible for network processing and security functions within Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This allows the malware to intercept and modify normal operations, enabling the execution of arbitrary shellcode. In the documented breach of a Federal Civilian Executive Branch (FCEB) agency, investigators found that the attackers first deployed a separate implant called Line Viper. This secondary tool was used to exfiltrate administrative credentials, certificates, and private keys, which the actors then leveraged to maintain access to the agency’s internal network.
The campaign exploits two critical vulnerabilities: CVE-2025-20333, a remote code execution flaw, and CVE-2025-20362, a privilege escalation vulnerability. While Cisco released patches for these flaws in September 2025, CISA warned that devices compromised prior to patching remain infected. Firestarter achieves persistence by modifying the mount list for the Cisco Service Platform (CSP), allowing it to survive standard software reboots. Forensic evidence indicates that the malware was deployed on the affected federal device before September 25, 2025, and allowed the threat actors to regain access in March 2026 without re-exploiting the original vulnerabilities.
CISA’s updated Emergency Directive 25-03 mandates that all federal civilian agencies audit their Cisco firewall infrastructure immediately. Agencies are required to collect and submit device core dumps to the Malware Next Generation (MNG) portal by 11:59 PM EST on April 24, 2026. Furthermore, the directive specifies that a hard reset—physically disconnecting the device from its power source—is the only confirmed method to remove Firestarter’s persistence. This action must be completed for all affected hardware by April 30, 2026.
The affected hardware includes the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 200, 1200, 3100, 4200, and 6100 series. Cisco’s Talos threat intelligence unit has attributed the activity to a state-sponsored group tracked as UAT-4356. This group is also linked to the ArcaneDoor campaign, which has targeted government and critical infrastructure perimeters globally since early 2024. Officials have emphasized that while only one federal agency has been confirmed as a victim of Firestarter so far, the sophisticated nature of the malware suggests a broader risk to both public and private sector organizations using these Cisco products.