CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network
CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network
Publish Date: 2026-04-24 20:12:00
Source Domain: securityaffairs.com
CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network
Pierluigi Paganini
April 25, 2026
CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.
CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.
FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests.
“The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow].” reads the report published by CISA.
CISA and the NCSC warn that FIRESTARTER can persist on Cisco ASA or Firepower Threat Defense systems even after patching, allowing attackers to regain access without re-exploiting vulnerabilities. U.S. federal agencies must follow CISA Emergency Directive 25-03. Organizations are urged to use provided YARA rules to detect the malware in disk images or core dumps and…
