FIRESTARTER Backdoor and Updated Emergency Directive for Cisco Firepower and Secure Firewall Devices

The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC-UK) released a Malware Analysis Report (MAR) on FIRESTARTER, a persistent backdoor malware specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense software. This release coincides with the updated Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, which outlines required actions for US Federal Civilian Executive Branch agencies. All other US organizations are urged to review the MAR, take necessary actions, and report any findings to CISA.

FIRESTARTER enables remote access and control by advanced persistent threat (APT) actors and can survive firmware patching and device reboots. Initial access to Cisco ASA firmware was gained by exploiting
CVE-2025-20333 [CWE-862: Missing Authorization] and/or
CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. The malware can persist and maintain post-patching persistence, enabling APT actors to re-access compromised devices without re-exploiting vulnerabilities.

Refer to the below resources for additional details:

Malware Analysis Report: FIRESTARTER Backdoor Emergency Directive (ED) 25-03 V1 Update: Identify and Mitigate Potential Compromise of Cisco Devices Supplemental Direction ED 25-03: Core Dump and Hunt Instructions Cisco Talos Blog: FIRESTARTER Cisco Security Advisory