Attackers are hitting a frequent target in the network edge space, intruding victim networks through a defect in a widely used mobile endpoint security product.

Investigators found the malware, dubbed Firestarter, on a federal agency's network in a campaign dating back to at least September 2025.

GreyNoise researchers spotted a consistent trend in forthcoming vulnerabilities affecting security tools, providing defenders an early-warning system for likely imminent attacks.

The maximum-severity vulnerability, which hasn’t been exploited in the wild yet, affects software customers use to manage networking devices.

The vendor said it’s not aware of any active exploitation of the vulnerabilities, which could allow remote attackers to achieve root access and execute code.

The global campaign marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. The similarities don’t end there.

The average time from intrusion to network movement in 2025 was 29 minutes, a 65% increase in speed from the year prior.

Shadowserver scans have identified 86 compromised instances, and researchers warn multiple threat groups are involved.

Limited attacks occurred prior to Ivanti’s disclosure, followed by mass exploitation by multiple threat groups. More than 1,400 potentially vulnerable instances remain exposed.

Attackers have exploited the critical defect to reconfigure firewall settings and create unauthorized accounts with privileged access to multiple versions of the vendor’s security products.