US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied | CyberScoop<\/title> <meta name=\"description\" content=\""CISA and the NCSC warn of 'Firestarter,' a persistent Cisco firewall backdoor that survives patches. Authorities mandate hard reboots and device reimaging to eliminate the threat."\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisco-firestarter-malware-cisa-warning\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied\"> <meta property=\"og:description\" content=\""CISA and the NCSC warn of 'Firestarter,' a persistent Cisco firewall backdoor that survives patches. Authorities mandate hard reboots and device reimaging to eliminate the threat."\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisco-firestarter-malware-cisa-warning\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-04-23T20:25:05+00:00\"> <meta property=\"article:modified_time\" content=\"2026-04-23T20:25:08+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg\"> <meta property=\"og:image:width\" content=\"5000\"> <meta property=\"og:image:height\" content=\"3338\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1774626878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1774625888g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88741\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88741\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-firestarter-malware-cisa-warning%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-firestarter-malware-cisa-warning%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88741 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisco-firestarter-malware-cisa-warning\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.483833718245\">\n<div class=\"single-article__header-content\" readability=\"36.545454545455\">\n<p> Investigators found the malware, dubbed Firestarter, on a federal agency’s network in a campaign dating back to at least September 2025. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88741\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg 5000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=768,513 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=1024,684 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=2048,1367 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=600,401 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=1011,675 1011w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-2.jpg?resize=1263,843 1263w\" sizes=\"(max-width: 1011px) 100vw, 1011px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"49.940729220667\"><body readability=\"102.1306640625\"><\/p>\n<p>A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency and the United Kingdom\u2019s National Cyber Security Centre jointly published <a href=\"https:\/\/www.cisa.gov\/news-events\/analysis-reports\/ar26-113a\">a malware analysis report<\/a> identifying the backdoor, code-named Firestarter. Cisco\u2019s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-cisco-zero-days\/#:~:text=devices%20it%20dubbed%20%E2%80%9C-,ArcaneDoor,-%2C%E2%80%9D%20said%20the%20new\">ArcaneDoor<\/a>, which focused on compromising network perimeter devices.<\/p>\n<p>CISA confirmed it discovered Firestarter on a U.S. federal civilian agency\u2019s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices\">an updated emergency directive<\/a> issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-a-backdoor-that-outlasts-patches\">A backdoor that outlasts patches<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The central concern driving the updated directive is the attack group\u2019s ability to persist on compromised devices, even after enterprises applied security patches <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-cisco-zero-days\/\">Cisco released in September 2025<\/a>. Those patches addressed two vulnerabilities \u2014 <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-asaftd-webvpn-z5xP8EUB\">CVE-2025-20333<\/a>, a remote code execution flaw in the VPN web server component, and <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-asaftd-webvpn-YROOTUW\">CVE-2025-20362<\/a>, an unauthorized access vulnerability \u2014 that UAT-4356 exploited to gain initial entry. According to CISA, devices compromised before patching may still harbor the implant.<\/p>\n<p>Firestarter allows attackers to achieve persistence by manipulating the Cisco Service Platform mount list, a configuration file that governs which programs execute during the device\u2019s boot sequence. When the device receives a termination signal or enters a reboot, the malware copies itself to a secondary location and rewrites the mount list to restore and relaunch itself after the system comes back online. <\/p>\n<p>Critically, a standard software reboot does not remove the implant. Only a hard reboot \u2014 physically disconnecting the device from its power supply \u2014 is sufficient to clear the persistence mechanism from memory, according to both CISA and Cisco.<\/p>\n<p>From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Cisco\u2019s Adaptive Security Appliance and Firepower Threat Defense software. Once embedded, the malware intercepts a specific type of network request normally used for VPN authentication. When a request arrives containing a hidden trigger sequence, it executes code supplied by the attackers, giving them a backdoor into the device.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-ties-to-ongoing-campaign\">Ties to ongoing campaign<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356\u2019s arsenal.<\/p>\n<p>In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant, called Line Viper, to gain access to device configurations, credentials, and encryption keys. Firestarter was installed shortly after, prior to Cisco\u2019s September 2025 patches being applied to those specific devices. When the agency patched its systems, Firestarter stayed on the devices, and the actors used it to then redeploy Line Viper in March, nearly six months after the initial breach.<\/p>\n<p>Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a <a href=\"https:\/\/censys.com\/blog\/analysis-of-arcanedoor-threat-infrastructure-suggests-potential-ties-to-chinese-based-actor\">threat group based in China<\/a> was behind the ArcaneDoor campaign. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.<\/p>\n<p>The persistence vulnerability affects a broad range of Cisco hardware, including the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 1200, 3100, and 4200 series.<\/p>\n<p><a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-asaftd-persist-CISAED25-03\">Cisco has released updated software<\/a> to address the persistence mechanism, though the company strongly recommends reimaging affected devices rather than relying solely on software updates where compromise is suspected.<\/p>\n<p>The incident reflects a pattern increasingly seen among state-linked hackers: targeting the <a href=\"https:\/\/cyberscoop.com\/greynoise-traffic-surge-early-warning-system-network-edge-device-vulnerabilities\/\">network edge devices<\/a> that organizations rely on to enforce security boundaries. Because these appliances sit at the perimeter of enterprise and government networks, compromising them can expose internal traffic and give attackers a position to intercept credentials and communications.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CISA acknowledged active exploitation of the underlying vulnerabilities was ongoing at the time of publication.<\/p>\n<p>A Cisco spokesperson told CyberScoop that customers needing assistance should contact <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/index.html\">Cisco Technical Assistance<\/a> for support. CISA did not respond to a request for comment. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.472972972973\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisco-firestarter-malware-cisa-warning\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>US, UK agencies warn hackers were hiding on Cisco firewalls<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6503,271,1764,78,452,1861,6504,117,168,3332,4838,256,288],"tags":[6505,277,1769,86,454,1862,6506,119,169,3336,4841,262,294],"class_list":["post-8579","post","type-post","status-publish","format-standard","hentry","category-arcanedoor","category-china","category-cisco","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-emergency-directive","category-firestarter","category-government","category-malware","category-nation-state-hackers","category-network-edge-devices","category-research","category-threats","tag-arcanedoor","tag-china","tag-cisco","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-emergency-directive","tag-firestarter","tag-government","tag-malware","tag-nation-state-hackers","tag-network-edge-devices","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/arcanedoor\/\" rel=\"category tag\">ArcaneDoor<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco\/\" rel=\"category tag\">Cisco<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/emergency-directive\/\" rel=\"category tag\">emergency directive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/firestarter\/\" rel=\"category tag\">Firestarter<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nation-state-hackers\/\" rel=\"category tag\">nation-state hackers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/network-edge-devices\/\" rel=\"category tag\">network edge devices<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8579"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8579\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8579,"date":"2026-04-23T15:25:05","date_gmt":"2026-04-23T20:25:05","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88741"},"modified":"2026-04-23T15:25:05","modified_gmt":"2026-04-23T20:25:05","slug":"us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/04\/23\/us-uk-agencies-warn-hackers-were-hiding-on-cisco-firewalls-long-after-patches-were-applied\/","title":{"rendered":"US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied"},"content":{"rendered":"