The Cybersecurity and Infrastructure Security Agency (CISA) updated Emergency Directive 25-03 on April 24, 2026, revealing that at least one U.S. federal civilian agency’s Cisco networking equipment was infected with a persistent backdoor known as Firestarter. The malware, attributed to a China-linked espionage group, was discovered on a Cisco Firepower device running Adaptive Security Appliance (ASA) software. According to CISA and the United Kingdom’s National Cyber Security Centre (NCSC), the Firestarter backdoor is designed to maintain access even after security patches are applied and the device is rebooted.
Technical analysis indicates that the threat actor, tracked as UAT-4356 (also known as Storm-1849), exploited two critical vulnerabilities to gain initial access: CVE-2025-20333, an improper input validation flaw with a CVSS score of 9.9, and CVE-2025-20362, a buffer overflow vulnerability. These flaws allowed the attackers to execute arbitrary code as root and bypass authentication on the VPN web server of Cisco ASA and Secure Firewall Threat Defense (FTD) software. Once inside, the actors deployed Firestarter alongside a post-exploitation toolkit called Line Viper, which enables command execution, packet capture, and the suppression of system logs to evade detection.
The Firestarter backdoor achieves persistence by manipulating the Cisco Service Platform (CSP) mount list, specifically the CSP_MOUNT_LIST, to ensure its execution during the device's boot sequence. The malware hooks into the LINA process, a core component of Cisco’s ASA and FTD appliances, allowing it to intercept authentication requests and execute malicious payloads. CISA warned that because the malware integrates into the low-level firmware operations, standard software updates and graceful reboots are insufficient to remove the implant. In the investigated incident, the attackers maintained access through March 2026, despite the agency having patched the initial vulnerabilities in late 2025.
Under the updated directive, all Federal Civilian Executive Branch (FCEB) agencies are required to submit device core dumps to CISA’s Malware Next Gen portal for forensic analysis by 11:59 PM EST on April 24, 2026. Agencies must also provide a complete inventory of Cisco Firepower and Secure Firewall devices by May 1. For devices where a compromise is confirmed, CISA has mandated a physical hard reset—unplugging the unit from its power source—by April 30, 2026, as this is currently the only verified method to disrupt the malware's transient persistence mechanism.
The compromise is part of a broader, long-running espionage campaign known as ArcaneDoor, which has targeted government and critical national infrastructure networks globally. Cisco’s Talos intelligence group first identified the campaign in early 2024, noting the actor's focus on network perimeter devices. While Cisco has released forensic tools and updated its Security Cloud Control platform to assist in detection, CISA Acting Director Nick Andersen emphasized that the update underscores the ongoing risk posed by sophisticated state-sponsored actors capable of maintaining long-term presence within secured federal environments.