FIRESTARTER persists on Cisco firewalls

A firewall is the gatekeeper at the edge of a network, checking traffic before it gets in. U.S. and U.K. cyber agencies said April 23 that a backdoor called FIRESTARTER can stay hidden on some Cisco firewalls even after admins apply patches and reboot the box. (cisa.gov) (blog.talosintelligence.com) The affected products run Cisco Adaptive Security Appliance, or ASA, and Firepower Threat Defense, or FTD, software on Cisco Firepower and Secure Firewall devices. CISA said the malware was found during proactive monitoring of a Federal Civilian Executive Branch agency’s Cisco Firepower device. (cisa.gov) (cyberscoop.com) CISA and the United Kingdom’s National Cyber Security Centre said the intruders exploited two Cisco flaws, CVE-2025-20333 and CVE-2025-20362, to gain access and deploy FIRESTARTER. Cisco’s Talos unit attributed the activity to a threat actor it tracks as UAT-4356. (cisa.gov) (blog.talosintelligence.com) The technical problem is persistence: malware that survives the usual cleanup steps. Talos said FIRESTARTER alters a boot-time mount list called CSP_MOUNT_LIST, then copies itself back into place during a graceful reboot. (blog.talosintelligence.com) (sec.cloudapps.cisco.com) That means patching blocks fresh exploitation but may not remove an implant that was already there. Cisco said the newly identified persistence mechanism can be preserved even after upgrading to fixed releases published in September 2025. (sec.cloudapps.cisco.com) (cisa.gov) Talos said a hard reboot, including physically removing power, clears this transient persistence mechanism because the implant relies on the graceful reboot sequence. CISA’s updated Emergency Directive 25-03 now requires federal civilian agencies to identify affected devices, collect forensic data and apply Cisco’s new guidance. (blog.talosintelligence.com) (cisa.gov) Cisco linked UAT-4356 to ArcaneDoor, a 2024 espionage campaign that also targeted network perimeter devices, the routers and firewalls that sit between an organization and the internet. The new warning says that same playbook is still working against exposed edge equipment months after the original September 25, 2025 directive. (blog.talosintelligence.com) (cisa.gov) Cisco’s April 23 advisory said the persistence issue affects specific hardware families, including Firepower 1000, 2100, 4100 and 9300 Series and Secure Firewall 1200, 3100 and 4200 Series. It said ASA 5500-X, Secure Firewall 200 and 6100, and virtualized ASA and FTD products are not affected by this persistence mechanism. (sec.cloudapps.cisco.com) The immediate job for defenders is no longer just “patch and move on.” CISA said organizations should assess devices for compromise, use the new detection guidance and treat a normal software update as insufficient proof that a Cisco firewall is clean. (cisa.gov)