United States
Australia
United Kingdom
Europe
New Zealand
Canada
The Cybersecurity and Infrastructure Security Agency on Wednesday released a technical analysis of FIRESTARTER, a backdoor used by malicious actors to gain remote access to Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. At the same time, the agency issued new, mandatory steps for Federal Civilian Executive Branch agencies under Emergency Directive 25-03 to identify and mitigate potential compromise of Cisco devices amid ongoing targeting.
Developed with the U.K. National Cyber Security Centre, the report details how the malware operates, how it persists on devices, and provides detection guidance, mitigations, and incident response actions. CISA and NCSC-UK assess that an advanced persistent threat actor leveraged CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware for initial access before deploying FIRESTARTER to affected Firepower and Secure Firewall systems.
“FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software. CISA encourages organizations using these devices or software to review the FIRESTARTER report, assess devices for compromise, implement mitigations, and report any findings to CISA,” said CISA Acting Director Nick Andersen. “Every day, CISA works with federal government and industry partners to assess cyber threats and publish actionable information for organizations to better protect themselves and ensure the integrity of their digital infrastructure.”
CISA said it discovered FIRESTARTER during proactive monitoring of Cisco ASA equipment used by federal civilian agencies and determined that standard firmware patching on already compromised devices did not necessarily remove intruders because the malware enables post-patching persistence.
Updates to Emergency Directive 25-03 call on agencies to identify specified Firepower and Secure Firewall devices, collect forensic data, and apply new vendor-provided updates. CISA plans to track compliance, offer technical support, and deliver additional resources as needed.
The agency urged network defenders responsible for Cisco Firepower and Secure Firewall products running ASA or FTD to review the newly published materials and implement the recommended actions.
