A months-long cyber intrusion into the Federal Emergency Management Agency (FEMA) has compromised sensitive data from both FEMA and U.S. Customs and Border Protection (CBP) employees.
FEMA holds vast quantities of sensitive data, from disaster relief applications to internal emergency response plans, making it a high-value target for cybercriminals.
The hacker gained access to FEMA’s Region 6 network (covers Arkansas, Louisiana, New Mexico, Oklahoma, Texas, and nearly 70 tribal nations) via Citrix virtual desktop infrastructure inside FEMA using compromised login credentials. The Department of Homeland Security (DHS) confirmed the breach lasted from June 22 to August 5 and was discovered on July 7.
According to internal documents obtained by Nextgov/FCW, the intruder used high-level access to install virtual private networking software in an attempt to extract data. FEMA confirmed that information was stolen from Region 6 servers, contradicting earlier DHS claims that the vulnerability had been patched before any data was exfiltrated.
The attack is linked to a vulnerability known as CitrixBleed 2.0 (CVE-2025-5777), which allows hackers to bypass multi-factor authentication and gradually collect login credentials by leaking system memory.
Following the breach, DHS announced the dismissal of two dozen FEMA technology staff, including top cybersecurity officials. DHS Secretary Kristi Noem cited gross negligence, including failure to implement multi-factor authentication, reliance on outdated protocols, and concealment of critical vulnerabilities from oversight bodies.
An internal FEMA email dated August 18 ordered all employees to change their passwords within two weeks due to “recent cybersecurity incidents and threats,” though it offered no specifics at the time.
DHS has not yet disclosed the full extent of the stolen data or whether it included personally identifiable information (PII).