FIRESTARTER targets Cisco firewalls

A firewall is the gatekeeper at the edge of a network, checking traffic before it reaches internal systems. CISA says attackers planted FIRESTARTER inside that gatekeeper on some Cisco devices. (cisa.gov 1) (cisa.gov 2) On April 23, 2026, CISA published a malware analysis report on FIRESTARTER and updated Emergency Directive 25-03 for federal agencies using affected Cisco firewalls. The agency said it found the malware during proactive monitoring of Cisco ASA devices used by Federal Civilian Executive Branch agencies. (cisa.gov 1) (cisa.gov 2) The affected products are Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance, or ASA, and Firepower Threat Defense, or FTD, software. Cisco’s April 23 advisory lists Firepower 1000, 2100, 4100 and 9300 series, plus Secure Firewall 1200, 3100 and 4200 series, as affected by this persistence issue. (cisco.com) The key change is that patching alone may not evict the intruder. CISA said agencies that already applied Cisco’s required security updates can still have threat actors retaining persistence and continued unauthorized access. (cisa.gov) Cisco said the persistence mechanism sits in Firepower eXtensible Operating System, or FXOS, the base operating system underneath those firewall products. That means the attacker’s foothold can be preserved across upgrades to the fixed releases Cisco published in September 2025. (cisco.com) CISA and the United Kingdom’s National Cyber Security Centre said FIRESTARTER is being used by advanced persistent threat actors as a backdoor for remote access and control. CISA said it has only observed a successful implant in the wild on a Cisco Firepower device running ASA software, even though the report is relevant to both Firepower and Secure Firewall devices. (cisa.gov) Cisco Talos linked the activity to UAT-4356, the actor Cisco previously tied to the ArcaneDoor espionage campaign disclosed in April 2024. Talos said the actor exploited CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices before deploying FIRESTARTER. (blog.talosintelligence.com 1) (blog.talosintelligence.com 2) Cisco said the actor has broadened targeting beyond the ASA 5500-X devices highlighted earlier and is now going after any device running ASA or FTD software on the affected platforms. The company also said ASA 5500-X, Secure Firewall 200, Secure Firewall 6100, virtual ASA, ISA3000 and virtual FTD are not affected by this specific persistence issue. (cisco.com) (cisco.com) For federal agencies, CISA’s updated directive adds new required actions, including identifying specified devices, collecting forensic data and applying new vendor updates. For everyone else, CISA and NCSC said organizations should run the published YARA detection rules against a disk image or core dump and start incident response if compromise is confirmed. (cisa.gov) (cisa.gov) The story now is less about whether a firewall was patched in September 2025 and more about whether an attacker was already inside before that patch landed. That is why CISA rewrote its federal guidance on April 23, 2026, around detection, forensic collection and eviction, not just software updates. (cisa.gov)