# FIRESTARTER Backdoor Discovered on Cisco Firewalls—APT Actors Maintaining Persistence Post-Patch


## The Threat


The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC) have identified a sophisticated backdoor malware called FIRESTARTER that grants advanced persistent threat (APT) actors long-term access to compromised Cisco firewall devices. The malware operates as a persistence mechanism, allowing attackers to maintain remote access even after critical security patches are applied—a particularly dangerous capability that transforms a patched vulnerability into an ongoing compromise.


FIRESTARTER has been deployed as part of a widespread campaign targeting publicly accessible Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices. The initial compromise vector exploits two critical vulnerabilities in Cisco firmware: CVE-2025-20333 (a missing authorization flaw) and CVE-2025-20362 (a classic buffer overflow). However, once implanted, FIRESTARTER establishes a backdoor that persists independently of whether the underlying vulnerabilities have been patched. This means that organizations patching these CVEs without conducting forensic investigations may have false confidence that their devices are secure, while APT actors retain hidden access.


CISA and the NCSC assess that threat actors have successfully deployed FIRESTARTER in operational environments, with confirmed observations on at least one Cisco Firepower device running ASA software. The malware has been recovered through forensic investigations, analyzed, and is now the subject of emergency directives and detection guidance aimed at preventing its continued use. This report represents a critical wake-up call for organizations relying on Cisco firewall devices for network perimeter security—a device category that has been targeted by nation-state actors and sophisticated threat groups with increasing frequency.


## Severity and Impact


| Attribute | Details |

|-----------|---------|

| Malware Name | FIRESTARTER |

| Malware Type | Backdoor / Post-Exploitation Persistence Mechanism |

| Associated CVE (Initial Access) | CVE-2025-20333, CVE-2025-20362 |

| CVE-2025-20333 CWE | CWE-862: Missing Authorization |

| CVE-2025-20362 CWE | CWE-120: Classic Buffer Overflow |

| Affected Software | Cisco ASA (Adaptive Security Appliance), Cisco Firepower Threat Defense (FTD) |

| Attack Vector | Network (requires public access to firewall device) |

| Attack Complexity | Low (documented exploits available) |

| Authentication Required | None (unauthenticated remote exploitation possible) |

| Impact | Complete device compromise, persistent backdoor access, post-patch persistence |

| Threat Actor Profile | Advanced Persistent Threat (APT) actors with nation-state or sophisticated criminal capabilities |


The critical aspect of FIRESTARTER's threat profile is its post-patching persistence. Organizations that patch CVE-2025-20333 and CVE-2025-20362 without detecting FIRESTARTER will believe their devices are secure while remaining compromised. This persistence capability transforms an incident response timeline from "patch and move on" to "forensically investigate every Cisco firewall in our environment."


## Affected Products


Cisco Adaptive Security Appliance (ASA):

  • All versions vulnerable to CVE-2025-20333 and CVE-2025-20362 (confirmed malware implantation in the wild)

    • Cisco Firepower Threat Defense (FTD):

  • All versions vulnerable to CVE-2025-20333 and CVE-2025-20362 (theoretically vulnerable; no confirmed wild compromises reported by CISA at time of writing, but assessment indicates susceptibility)

    • Infrastructure Impact:

  • Cisco firewall devices serving as network perimeter protection
  • Publicly accessible firewall management interfaces
  • Devices with network exposure to untrusted networks

    • ## Mitigations


    Immediate Actions for U.S. Federal Agencies (FCEB):


    Organizations subject to CISA Emergency Directive 25-03 (and its V1 update) must take the following steps:


    1. Forensic Triage: Collect and submit core dumps from all Cisco Firepower and ASA devices to CISA's Malware Next Generation (MNG) platform

    2. Incident Reporting: Immediately report all submissions to CISA's 24/7 Operations Center (1-844-Say-CISA or central@cisa.dhs.gov)

    3. Guidance Compliance: Take no additional incident response actions until CISA provides specific next-steps guidance based on core dump analysis


    Actions for All Other Organizations:


    1. Detection and Analysis:

    - Download YARA rules released by CISA specifically designed to detect FIRESTARTER

    - Execute YARA scans against disk images and core dumps of all Cisco firewall devices

    - Engage digital forensics analysts and incident response teams to interpret findings


    2. Compromised Device Response:

    - If FIRESTARTER is detected, initiate full incident response procedures

    - Assume complete device compromise and evaluate network access logs for signs of lateral movement

    - Begin evidence collection and preservation immediately


    3. Vulnerability Patching:

    - Apply Cisco security patches for CVE-2025-20333 and CVE-2025-20362 to all Cisco ASA and FTD devices

    - Note: Patching alone is insufficient; forensic investigation is mandatory to detect pre-patch implants


    4. Network Segmentation and Monitoring:

    - Restrict management access to Cisco firewall devices to trusted administrative networks

    - Implement network segmentation to limit the impact of a compromised perimeter device

    - Enable enhanced logging and alerting on firewall management interface access

    - Monitor for suspicious outbound connections from firewall devices to command-and-control infrastructure


    5. Threat Hunting:

    - Search network logs for indicators of compromise (IoCs) and command-and-control beacon traffic

    - Analyze firewall device logs for abnormal user creation, authentication attempts, and configuration changes

    - Review stored forensic captures or net flow data for signs of exfiltration or lateral movement


    6. Reporting and Information Sharing:

    - Report any confirmed FIRESTARTER detections to CISA or the UK NCSC

    - Participate in coordinated vulnerability disclosure timelines

    - Share sanitized indicators of compromise with industry peers through ISACs


    ## References


  • CISA Emergency Directive 25-03 (V1): Identify and Mitigate Potential Compromise of Cisco Devices - https://www.cisa.gov/news-events/directives/emergency-directive-25-03
  • CISA Supplemental Direction: Core Dump and Hunt Instructions for ED 25-03
  • CISA Malware Analysis Report (AR26-113A): FIRESTARTER Backdoor - Download PDF version
  • Cisco Security Advisory: Cisco Firepower and ASA Vulnerabilities - Refer to official Cisco security pages
  • Cisco Talos Blog: Technical analysis and threat intelligence on FIRESTARTER
  • YARA Rule Repository: CISA-released YARA rules for FIRESTARTER detection

    • ---


    ### Key Takeaways


    FIRESTARTER represents a significant shift in how sophisticated threat actors are targeting network infrastructure. Rather than relying solely on vulnerability exploitation, APT actors have deployed a persistence mechanism that survives patching—a capability that demands forensic vigilance from all organizations, not just federal agencies.


    The timeline is critical: organizations must assume that any Cisco firewall with public internet exposure during the vulnerability window (September 2025 through April 2026) may be compromised. Patching is necessary but insufficient. Forensic investigation is now mandatory for assurance.


    This incident underscores a broader principle in incident response: patching is defense against new compromise, not proof against past compromise. Organizations must implement forensic-first response workflows for critical infrastructure devices, particularly when a known campaign has actively exploited vulnerabilities. The combination of CISA's guidance, YARA detection rules, and threat intelligence from NCSC provides the tools; execution discipline provides the assurance.