Signal
Firestarter backdoor malware compromises US federal agency Cisco firewalls
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-04-23 19:03 UTCUpdated 2026-04-24 15:20 UTC
rss
malwarebackdoorcvefederal_agencyincident_responsesecurity_advisory
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A sophisticated state-sponsored hacking group implanted a persistent backdoor malware named Firestarter on Cisco Firepower firewall devices within a US federal civilian agency.
Entities
CiscoCybersecurity and Infrastructure Security AgencyNational Cyber Security CentreFirestarterArcaneDoor
Score total
1.67
Momentum 24h
6
Posts
6
Origins
6
Source types
1
Duplicate ratio
0%
Why now
- The malware has been active since late 2025 but was only recently discovered on a US federal agency’s Cisco firewall.
- CISA and UK cybersecurity authorities jointly disclosed the threat and issued updated emergency guidance this week.
- The discovery follows ongoing exploitation of Cisco ASA vulnerabilities, underscoring the need for rapid response and patching.
Why it matters
- The malware’s persistence after patches and reboots complicates remediation efforts on critical government infrastructure.
- Exploitation of Cisco firewall vulnerabilities threatens the security of federal civilian agencies’ network perimeters.
- CISA’s emergency directive highlights the urgency and scale of the compromise, prompting immediate audits and forensic analysis.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
- Firestarter malware implants a persistent backdoor on Cisco firewall devices that survives firmware updates and reboots.
- The malware was found on a US federal civilian agency's Cisco Firepower firewall device after exploitation of Cisco ASA vulnerabilities CVE-2025-20333 and CVE-2025-20362.
- CISA issued an emergency directive requiring federal civilian agencies to audit Cisco firewall infrastructure and submit device memory snapshots for analysis.
All evidence
All evidence
CISA: Malware attack compromises US agency via Cisco exploit
SC Media · scworld.com · 2026-04-24 15:20 UTC
Governments on high alert after CISA snuffs out Firestarter backdoor on fed network
The Register Security · go.theregister.com · 2026-04-24 14:46 UTC
US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor
SecurityWeek · securityweek.com · 2026-04-24 11:26 UTC
New Cisco firewall malware can only be killed by pulling the plug
Help Net Security · helpnetsecurity.com · 2026-04-24 09:56 UTC
US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied
CyberScoop · cyberscoop.com · 2026-04-23 20:25 UTC
CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March
The Record (Recorded Future News) · therecord.media · 2026-04-23 19:03 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- SC Media (1)
- The Register Security (1)
- SecurityWeek (1)
- Help Net Security (1)
- CyberScoop (1)
- The Record (Recorded Future News) (1)
Top origin domains (this list)
- scworld.com (1)
- go.theregister.com (1)
- securityweek.com (1)
- helpnetsecurity.com (1)
- cyberscoop.com (1)
- therecord.media (1)