"Firestarter was especially sophisticated in that it maintained persistent access to compromised networking devices even after they were updated, allowing attackers to re-enter victims' networks without needing to exploit any new vulnerabilities," CISA said.
CISA and the NCSC: who reported the intrusion
The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) jointly published findings about a previously unknown backdoor named "Firestarter." Both agencies declined to name the federal agency that was compromised. CISA said the incident involved a single Federal Civilian Executive Branch (FCEB) agency, although investigators suspect the campaign may be wider and focused on government and critical national infrastructure networks.
Firestarter: what it targeted and how it behaved
CISA describes Firestarter as a backdoor with remote access capabilities that targeted Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products. The lone incident CISA investigated involved a Cisco Firepower device running ASA software, and Secure Firewall devices are also thought to be susceptible. The advisory named the malware "Firestarter" after those targeted Cisco products.
Beyond initial compromise, CISA highlighted a key technical attribute: Firestarter maintained persistent access even after the targeted networking devices were updated, enabling attackers to regain entry without exploiting new vulnerabilities. That persistence — surviving updates to devices — is the behavior CISA singled out as especially sophisticated.
Cisco, vulnerability context, and tracking of the attacker
CISA's Firestarter advisory is an update to earlier warnings about attacks on Cisco products that exploited CVE-2025-20333 (severity 9.9) and CVE-2025-20362 (severity 6.5). Cisco has attributed the latest attacks to the same group it suspects was behind other incidents last year. An independent tracker named Switchzilla assigns the group the identifier UAT-4356; Switchzilla has consistently avoided publicly attributing the group to any nation-state, including the four countries the source listed as the US's primary geopolitical adversaries, while saying the group appears to be government-backed.
Detection, evidence collection, and remediation steps urged by CISA and NCSC
The initial detection came through routine continuous network monitoring, CISA said. Both CISA and the NCSC urged organizations that are hit to collate all evidence and submit it to the agencies for intelligence-gathering. The agencies specifically advised defenders to use YARA rules when performing memory analysis from device core dumps or disk images. Those are the concrete forensic actions CISA recommended in the advisory.
CISA also framed this advisory in a broader context of multiple, recent Cisco-focused campaigns: the agency's update follows earlier advisories and warnings about Cisco product exploits. The published guidance therefore treats Firestarter not as an isolated curiosity but as part of an active threat environment against networking equipment.
What this means for FCEB agencies, network defenders, and Cisco (vendors)
- FCEB agencies: CISA said only one FCEB agency was confirmed impacted so far. Nevertheless, CISA's definition of FCEB includes entities such as NASA; Homeland Security itself (noting CISA staff are part of an operational unit in Homeland Security); the FBI; the Department of Justice; the IRS; the Department of Veterans Affairs; and the Department of Health and Human Services (HHS). Those agencies should assume targeted network devices can be re-instrumented by attackers even after routine updates, and they should be prepared to collect and forward forensic artifacts to CISA and the NCSC.
- Network defenders and incident responders: CISA recommends continuous monitoring, memory analysis of core dumps or disk images using YARA rules, and careful evidence collection for submission to CISA and the NCSC. The persistence behavior CISA describes increases the priority of deep forensic checks on networking appliances beyond simple patching.
- Cisco and procurement leaders: Cisco is attributing these attacks to the same group it tied to prior incidents, and the advisory updates CISA's earlier warnings about exploited CVEs (CVE-2025-20333 and CVE-2025-20362). Procurement and patching teams should treat firewall and Secure Firewall-class devices as high-value targets in active campaigns and ensure forensic readiness as well as patching.
The Firestarter advisory arrived hours after a separate, collective intelligence warning about "Chia's offensive cyber operations," which involved ten countries including nations in the Five Eyes alliance and repeated claims that China was building covert networks — for example by recruiting consumer-grade SOHO routers — to launch attacks. That near-concurrent reporting underlines that nation-state–scale techniques and covert infrastructure building remain part of the larger sharp-elbowed cyber environment in which Firestarter appeared.
For now, the concrete record is narrow: a single FCEB infection was detected, the malware targeted Cisco ASA/FTD-family products and preserved access across updates, and CISA and the NCSC are asking for evidence from victims. The unanswered, practical question left for operators is whether the persistence mechanisms CISA describes have been widely deployed across other devices and networks — and whether that will require new forensic and mitigation playbooks beyond patching alone.




