VYPR
advisoryPublished May 2, 2026· Updated May 17, 2026· 1 source

CISA and NCSC Warn of FIRESTARTER Backdoor Targeting Cisco Firewalls

CISA and the NCSC have identified a backdoor called FIRESTARTER that allows APT actors to maintain persistent access to Cisco Firepower and Secure Firewall devices even after security patches are applied.

CISA and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint warning regarding "FIRESTARTER," a sophisticated backdoor malware used by advanced persistent threat (APT) actors to maintain persistence on compromised network infrastructure CISA. The malware specifically targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software CISA.

According to the analysis, FIRESTARTER functions as a backdoor that grants attackers remote access and control over infected systems CISA. The malware is part of a broader campaign where threat actors initially gained access to Cisco ASA firmware by exploiting two specific vulnerabilities: CVE-2025-20333, a missing authorization flaw (CWE-862), and CVE-2025-20362, a classic buffer overflow (CWE-120) CISA. Once installed, the backdoor allows the actors to maintain a foothold even after security patches have been applied, effectively enabling them to re-access the devices without needing to re-exploit the original vulnerabilities CISA.

While the malware is designed to operate on both ASA and FTD software, CISA has confirmed observing successful implants in the wild specifically on Cisco Firepower devices running ASA software CISA. The discovery of this backdoor is tied to the ongoing investigation surrounding Emergency Directive (ED) 25-03, which was originally issued in September 2025 to address potential compromises of Cisco devices CISA.

In response to the threat, CISA has updated ED 25-03 to include new requirements for U.S. Federal Civilian Executive Branch (FCEB) agencies CISA. These agencies are now mandated to collect and submit core dumps to CISA’s Malware Next Generation platform and report the submission immediately to the CISA 24/7 Operations Center CISA. Agencies are instructed to take no further action until they receive specific guidance from CISA CISA.

For all other organizations, including those in the private sector and the U.K., CISA and the NCSC recommend using provided YARA rules to scan disk images or core dumps for signs of the FIRESTARTER backdoor CISA. Any confirmed compromises should be reported to CISA or the NCSC, and organizations are encouraged to initiate standard incident response procedures CISA. Further technical details and detection resources, including the FIRESTARTER STIX file, are available through the official CISA Malware Analysis Report CISA.

The emergence of FIRESTARTER highlights a growing trend of APT actors focusing on long-term persistence within critical network appliances. By targeting the firmware layer of security devices, attackers can bypass traditional perimeter defenses and maintain access despite standard patching cycles. This incident underscores the importance of deep forensic analysis and memory-level inspection for organizations managing high-value network infrastructure.

Synthesized by Vypr AI