{"id":235342,"date":"2026-04-24T20:12:00","date_gmt":"2026-04-25T00:12:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network\/"},"modified":"2026-04-24T21:10:13","modified_gmt":"2026-04-25T01:10:13","slug":"cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/24\/cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network\/","title":{"rendered":"CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network"},"content":{"rendered":"

CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network<\/a><\/p>\n

https:\/\/securityaffairs.com\/191241\/hacking\/cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network.html<\/a><\/p>\n

Publish Date: 2026-04-24 20:12:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ April 25, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.<\/h2>\n

CISA revealed that a U.S. federal civilian agency\u2019s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.<\/p>\n

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests.<\/p>\n

\u201cThe Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER\u2014a backdoor that allows remote access and control\u2014is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting\u00a0CVE-2025-20333 [CWE-862: Missing Authorization] and\/or\u00a0CVE-2025-20362 [CWE-120: Classic Buffer Overflow].\u201d reads the report published by CISA.<\/p>\n

CISA and the NCSC warn that FIRESTARTER can persist on Cisco ASA or Firepower Threat Defense systems even after patching, allowing attackers to regain access without re-exploiting vulnerabilities. U.S. federal agencies must follow CISA Emergency Directive 25-03. Organizations are urged to use provided YARA rules to detect the malware in disk images or core dumps and…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network https:\/\/securityaffairs.com\/191241\/hacking\/cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":235343,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2014\/07\/cisco-building.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-235342","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235342"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235342"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235342\/revisions"}],"predecessor-version":[{"id":235344,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235342\/revisions\/235344"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235343"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}