CISA Hunts for Cisco Backdoor Spotted on Federal Network

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control CISA Hunts for Cisco Backdoor Spotted on Federal Network 'Firestarter' Backdoor Can Survive Reboots, Upgrades and Standard Fixes Chris Riotta (@chrisriotta) • April 24, 2026     Credit Eligible Get Permission Image: Anucha Cheechang/Shutterstock The U.S. cyber defense agency is ordering federal agencies to hunt for a previously unknown, persistent backdoor after spotting it on a Cisco security appliance meant to shield a federal civilian agency. See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware The Cybersecurity and Infrastructure Security Agency and its British counterpart warned in a Thursday malware analysis report that the custom implant, dubbed "Firestarter," is targeting Cisco Adaptive Security Appliance and Firepower devices. CISA should know, since it identified the backdoor after detecting suspicious connections on a federal network, activity that led to a forensic investigation that turned up the implant. The hackers - there's no public attribution - initially deployed a shellcode loader tracked by the U.K. National Cyber Security Center as Line Viper but later used Firestarter as a persistence mechanism. CISA said they deployed Firestarter sometime before the end of September 2025. The malware provides attackers with remote access and the ability to execute arbitrary code within core system processes - effectively giving adversaries control over devices that sit at the edge of federal networks and often handle sensitive traffic flows. Cisco in September 2025 patched two of the vulnerabilities exploited by Firestarter hackers, CVE-2025-20333 and CVE-2025-20362. The networking giant said the implant comes from the same threat actor it tracks as Arcane Door, state-sponsored activity targeting network perimeter devices. Wired in August 2024 quoted sources asserting that Arcane Door actors are likely Chinese nation-state hackers. CISA and the NCSC on Thursday additionally published an advisory on "defending against China-nexus covert networks of compromised devices." A Chinese connection wouldn't be a surprise, given how Beijing has exploited unpatched Cisco networking gear to spy on top governmental and political targets (see: Talos: No Cisco Zero Days Used in Salt Typhoon Telecom Hacks). The two flaws were previously added to CISA's Known Exploited Vulnerabilities catalog, triggering mandatory remediation processes for federal agencies. But the updated guidance says devices already infected with Firestarter would continue to be compromised even after application of a patch. CISA directed agencies to assume potential compromise and take aggressive forensic and mitigation steps, including identifying all affected devices, collecting system artifacts, and working with the agency on incident response and analysis. CISA said agencies should treat the directive as an urgent operational requirement, warning that agencies should validate that remediation efforts have fully removed unauthorized access to systems. With reporting by ISMG's David Perera in Northern Virginia