Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

US, UK authorities warn that Firestarter backdoor malware survives patching

A federal agency was impacted by a hacking campaign that exploited flaws in Cisco devices.

Published April 27, 2026
David Jones's headshot
Reporter
Nick Andersen, executive assistant director for cybersecurity, speaks during the Billington Cybersecurity Summit in Washington D.C. on Sept. 11, 2025.
Nick Andersen, executive assistant director for cybersecurity, speaks during the Billington Cybersecurity Summit in Washington, D.C., on Sept. 11, 2025. CISA in April 2026 warned that federal agencies need to confirm they have not been compromised by a threat campaign targeting vulnerable Cisco devices. Courtesy of Billington

U.S. and U.K. authorities have issued warnings about backdoor malware used against vulnerable Cisco devices that can maintain persistence despite being patched. 

The backdoor malware, dubbed Firestarter, was discovered during a forensic investigation at a federal civilian executive branch agency during a forensic investigation, according to the Cybersecurity and Infrastructure Security Agency.

CISA issued an emergency directive in September 2025 for federal agencies to immediately take steps to mitigate against the attacks, which were linked to the ArcaneDoor activity initially identified in early 2024. 

The campaign was linked to a threat actor tracked as UAT-4356, according to a Thursday blog post from Cisco Talos.  

The attacks targeted Cisco Firepower and Secure Firewall products that used Adaptive Security Appliance or Firepower Threat Defense software, CISA warned in an advisory released Thursday.

The hackers exploited two critical vulnerabilities: CVE-2025-20333 and CVE-2025-20362

CISA said it found suspicious connections on a Firepower device running Adaptive Security Appliance software at the federal agency. The investigation discovered that hackers deployed an implant called Line Viper and used Firestarter malware in order to maintain persistence on the device.

Cisco released a security bulletin Thursday with guidance on how to mitigate the threat and issued an update Friday. 

CISA has issued new guidance for all FCEB agencies to check for potential compromise and take additional mitigation measures

Editors' picks

Company Announcements

View all | Post a press release
Protectors Edge: Leadership through Strategy and Action
From 360 Privacy
April 24, 2026
360 Privacy logo
Blackpoint Cyber Appoints Jacob Yavil as Chief Financial Officer
From Blackpoint Cyber
April 06, 2026
Blackpoint Cyber logo
Cobalt Iron Launches Compass Tape Gateway™
From Cobalt Iron
April 15, 2026
Cobalt Iron logo
Naot Footwear Strengthens Global Brand Protection Through Partnership with BrandShield
From BrandShield
April 13, 2026
BrandShield logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell