CISA Confirmed a Federal Agency Was Backdoored Through Its Cisco Firewall—Patching Didn't Remove It

What Happened

CISA disclosed on April 23 that a U.S. federal civilian agency was breached through vulnerabilities in its Cisco Adaptive Security Appliance (ASA) firewall. The attackers exploited CVE-2025-20333 and CVE-2025-20362 to gain initial access before September 2025, then planted a backdoor called FIRESTARTER that maintained their foothold even after the agency applied Cisco's patches.

The breach was discovered through CISA's continuous network monitoring, which flagged suspicious outbound connections from the agency's Cisco Firepower device. By the time CISA investigated, the attackers had been inside for roughly seven months.

Why Patching Was Not Enough

This breach breaks a fundamental assumption in cybersecurity: that applying vendor patches removes the threat. FIRESTARTER is designed to persist independently of the vulnerabilities used for initial access. When the agency patched its Cisco devices in September 2025 following CISA's Emergency Directive 25-03, the backdoor was already embedded in the firmware and was not removed by the update.

In March 2026, the attackers used FIRESTARTER to regain access without re exploiting the original vulnerabilities. They then deployed a second malware strain called LINE VIPER, which established unauthorized VPN sessions that bypassed authentication policies entirely. LINE VIPER gave the attackers access to administrative credentials, certificates, and private keys stored on the device.

Who Is Behind It

CISA has not publicly named the threat actor. However, intelligence reporting links the campaign to Chinese state interests, potentially connected to the ArcaneDoor campaign first discovered in 2024. That campaign also targeted Cisco ASA devices and shared similar tradecraft: firmware level persistence, VPN tunnel abuse, and a focus on government and defense sector networks.

The targeting is consistent with state sponsored espionage rather than financial crime. The attackers showed no interest in deploying ransomware or stealing money. They wanted sustained, quiet access to government communications and network infrastructure.

The Emergency Directive

CISA updated Emergency Directive 25-03 with new requirements for all Federal Civilian Executive Branch agencies:

• Submit malware verification results by midnight Friday confirming whether FIRESTARTER is present on any Cisco ASA or Firepower device
• Provide a complete Cisco device inventory by May 1
• Physically unplug compromised devices if directed by CISA
• Complete forensic engagement for any device showing indicators of compromise

The directive's most significant requirement is the physical disconnection clause. CISA is acknowledging that for firmware level backdoors, software remediation may not be sufficient. Some devices may need to be taken offline entirely and replaced.

Why This Matters Beyond Government

Cisco ASA and Firepower devices are not unique to federal agencies. They sit at the network perimeter of enterprises, hospitals, universities, and critical infrastructure providers worldwide. The same vulnerabilities that gave attackers access to a federal agency exist in every unpatched Cisco ASA deployment.

The UK's National Cyber Security Centre and Five Eyes intelligence agencies issued parallel warnings. The NCSC confirmed that attackers had been hiding on Cisco firewalls even after organizations applied patches, and urged all Cisco ASA operators to conduct forensic analysis rather than assuming patches had resolved the issue.

For organizations that rely on Cisco firewalls, the takeaway is uncomfortable: patching alone does not guarantee that a compromised device is clean. If your Cisco ASA or Firepower device was vulnerable before September 2025, the only way to be certain is forensic verification. CISA's decision to require physical disconnection of suspect devices signals how seriously the agency views this threat. When the fix for a compromised firewall is to unplug it, the attacker has already won the persistence game.

A Growing Pattern

FIRESTARTER is the latest in a series of network appliance attacks that challenge the traditional patch and forget approach to security. Earlier this year, Interlock ransomware exploited a Cisco Firewall Management Center zero day for 36 days before anyone detected it. Fortinet, Citrix, and Palo Alto have all disclosed similar firmware persistence attacks in 2026.

The security devices that are supposed to protect networks are becoming the entry points that attackers use to compromise them. And when those devices can be backdoored in a way that survives patching, the entire model of perimeter security needs rethinking.