{"id":235315,"date":"2026-04-24T13:06:00","date_gmt":"2026-04-24T17:06:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/firestarter-backdoor-hit-federal-cisco-firepower-device-survives-security-patches\/"},"modified":"2026-04-24T19:10:07","modified_gmt":"2026-04-24T23:10:07","slug":"firestarter-backdoor-hit-federal-cisco-firepower-device-survives-security-patches","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/firestarter-backdoor-hit-federal-cisco-firepower-device-survives-security-patches\/","title":{"rendered":"FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/firestarter-backdoor-hit-federal-cisco.html\">FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/firestarter-backdoor-hit-federal-cisco.html\">https:\/\/thehackernews.com\/2026\/04\/firestarter-backdoor-hit-federal-cisco.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-24 13:06:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency&#8217;s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called <strong>FIRESTARTER<\/strong>.<\/p>\n<p>FIRESTARTER, per CISA and the U.K.&#8217;s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access and control. It&#8217;s believed to be deployed as part of a &#8220;widespread&#8221; campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as &#8211;<\/p>\n<ul>\n<li><strong>CVE-2025-20333<\/strong> (CVSS score: 9.9) &#8211; An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests.<\/li>\n<li><strong>CVE-2025-20362<\/strong> (CVSS score: 6.5) &#8211; An improper validation of user-supplied input vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests.<\/li>\n<\/ul>\n<p>&#8220;FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities,&#8221; the agencies said.<\/p>\n<p>In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.<\/p>\n<p>The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/firestarter-backdoor-hit-federal-cisco.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches https:\/\/thehackernews.com\/2026\/04\/firestarter-backdoor-hit-federal-cisco.html Publish Date: 2026-04-24 13:06:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":235316,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhL39ca_K84pnKcPSv77aXouF3t3HCOjjL1zFVEdeDE64LiUxQ2Het8xQeTeO0JZRHZE56SbG87psVmhYCbSyu5PE3FZiHrAIzm0zp8nfGKk7XwVTUUjpeZ7zDEZwuJaQkZp6Cl20WF7qkWDAuaOQW5-OtTQ1ZvjW4xhHB9HrC2O-C6pPPnE94gLqp1GZrI\/s1600\/cisco.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,27],"class_list":["post-235315","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235315"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235315"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235315\/revisions"}],"predecessor-version":[{"id":235317,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235315\/revisions\/235317"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235316"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}