FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

What’s new: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that a federal agency’s Cisco Firepower device was compromised by the FIRESTARTER backdoor in September 2025. This malware allows remote access and control, persisting even after security patches for vulnerabilities CVE-2025-20333 and CVE-2025-20362 were applied. FIRESTARTER can survive firmware updates and device reboots by manipulating the device’s boot sequence.

Who’s affected

Organizations using Cisco Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, particularly those that may have been compromised prior to patching, are at risk. The malware is linked to advanced persistent threat (APT) actors, potentially associated with state-sponsored groups.

What to do

• Reimage and upgrade affected Cisco devices to fully remove FIRESTARTER.
• Perform a cold restart by physically disconnecting the power to the device to temporarily mitigate the threat.
• Consider all configuration elements of compromised devices as untrusted until reimaging is completed.

Sources

• The Hacker News