Cisco firewalls hit by FIRESTARTER

A firewall is the gatekeeper that decides what traffic enters a network. CISA said attackers planted FIRESTARTER on certain Cisco firewalls and kept access even after software updates. (cisa.gov 1) (cisa.gov 2) Cisco’s affected products run either Adaptive Security Appliance, known as ASA, or Firepower Threat Defense, known as FTD. CISA and the United Kingdom’s National Cyber Security Centre said the malware acts as a backdoor, a hidden remote-control channel on publicly accessible devices. (cisa.gov) The April 23 CISA report tied the intrusions to two previously exploited flaws, CVE-2025-20333 and CVE-2025-20362, in Cisco ASA firmware. CISA said attackers used those bugs for initial access before deploying FIRESTARTER. (cisa.gov) The new detail is where the malware hides. Cisco said the persistence mechanism resides in Cisco Firepower eXtensible Operating System, or FXOS, the base software layer under ASA and FTD on affected hardware. (cisco.com) That matters because replacing or upgrading the firewall software alone may not evict the intruder. CISA said agencies that already applied Cisco’s September 2025 fixes could still have compromised devices. (cisa.gov) (cisco.com) CISA updated Emergency Directive 25-03 on April 23 and ordered federal civilian agencies to identify affected devices, collect forensic data and submit core dumps for analysis. The directive applies to any agency running the affected Cisco products. (cisa.gov) CISA’s malware report said it has only observed a successful implant in the wild on a Cisco Firepower device running ASA software. The agency said the guidance is still relevant to both Cisco Firepower and Secure Firewall devices. (cisa.gov) Cisco listed the affected hardware as Firepower 1000, 2100, 4100 and 9300 Series, plus Secure Firewall 1200, 3100 and 4200 Series. Cisco said ASA 5500-X, Secure Firewall 200 and 6100, virtual firewalls and the ISA3000 are not affected by this persistence issue. (cisco.com) A separate April 23 fix from Tenable showed the same problem in a different place: security software with high privileges can become its own attack path. Tenable said Nessus Agent 11.1.3 for Windows fixed a junction issue that could delete arbitrary files with SYSTEM privileges and potentially enable code execution. (tenable.com 1) (tenable.com 2) The Cisco case is now about hunting for hidden persistence, not just installing patches. CISA told organizations using these firewalls to review the FIRESTARTER report, use its detection rules and report confirmed findings. (cisa.gov 1) (cisa.gov 2)