US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied

A state-sponsored hacking group has successfully implanted a custom backdoor on Cisco network security devices, allowing them to persist on the systems even after firmware updates and reboots, according to a joint warning from US and UK cybersecurity authorities¹. The backdoor, known as Firestarter, has been used to target government and critical infrastructure networks since at least late 2025. This sophisticated malware can survive standard security measures, indicating a significant escalation in the hacking campaign. The Cybersecurity and Infrastructure Security Agency and the UK's National Cyber Security Centre have published a malware analysis report to help organizations detect and mitigate the threat. The fact that state-sponsored actors are involved shifts the threat model from traditional criminal activity to a geopolitical one, requiring a different approach to defense. This new threat landscape means that practitioners must reassess their security strategies to account for the increased sophistication and persistence of state-backed hackers.