30/09/2025
A Citrix vulnerability — suspected to have led to firings of multiple FEMA technology staff — enabled the breach, which let hackers pilfer data from FEMA servers connected to states at the southern border.
A “widespread cybersecurity incident” at the Federal Emergency Management Agency allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection, according to a screenshot of an incident overview presentation obtained by Nextgov/FCW.
The hack is also suspected to have later triggered the dismissal of two dozen Federal Emergency Management Agency technology employees announced late last month, according to internal meeting notes and a person familiar with the matter.
The initial compromise began June 22, when hackers accessed Citrix virtual desktop infrastructure inside FEMA using compromised login credentials. Data was exfiltrated from Region 6 servers, the image says. That FEMA region services Arkansas, Louisiana, New Mexico, Oklahoma and Texas, as well as nearly 70 tribal nations.
Some of those states sit on the nation’s southern border. That region has long been a flashpoint in the Trump administration immigration policies, which have emphasized shoring up funding and resources for CBP.
DHS security operations staff were notified of the breach on July 7, the screenshot adds. On July 14, the unnamed threat actor used an account with high-level access and attempted to install virtual networking software that could allow them to extract information. Initial remediation steps were taken on July 16.
An internal FEMA email dated August 18 previously obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.” It required password changes within two weeks of the email being sent. The email did not provide details about the security issues.
The FEMA IT staff firings were announced on Aug. 29, following a routine review of the agency’s systems, which uncovered a vulnerability “that allowed the threat actor to breach FEMA’s network and threaten the entire department and the nation as a whole,” the Department of Homeland Security said at the time. The terminations, announced by DHS Secretary Kristi Noem, also targeted FEMA’s top technology and cybersecurity officers.
FEMA’s IT employees “resisted any efforts to fix the problem,” avoided scheduled inspections and “lied” to officials about the scope of the cyber vulnerabilities, DHS said when Noem first announced the staff terminations last month. “Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility,” DHS also said.
Citrix sells tools that help employees access workplace apps remotely. The suspected vulnerability, dubbed CitrixBleed 2.0, has previously allowed cyber intruders to circumvent multifactor authentication protocols, which check if a user is masquerading as someone else when accessing a system.
The term “bleed” refers to the method by which hackers can compel susceptible devices to leak out memory content, allowing them to assemble specks of data and build out login credentials that can then be used to breach systems.
On Sept. 8, FEMA announced a temporary IT operational structure that named around a dozen acting officials in roles focused on technology, engineering, hosting services and security operations center management. That email was sent by Diego Lapiduz, named the acting Chief Information Officer of FEMA, after previous CIO Charles Armstrong was removed in the August firings.
Lapiduz issued another email on Sept. 12, which announced the addition of another site services official in the reporting structure.
