CISA Releases Malware Analysis Report: FIRESTARTER Backdoor and Updated Emergency Directive for Cisco Firepower and Secure Firewall Devices

Today, CISA and the United Kingdom National Cyber Security Centre (NCSC-UK) released a Malware Analysis Report (MAR) on FIRESTARTER, a persistent backdoor malware specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense software. This release coincides with the updated Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, which outlines required actions for U.S. Federal Civilian Executive Branch agencies. All other U.S. organizations are urged to review the MAR, take necessary actions, and report any findings to CISA.

FIRESTARTER enables remote access and control by advanced persistent threat (APT) actors and can survive firmware patching and device reboots. Initial access to Cisco ASA firmware was gained by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. The malware can persist and maintain post-patching persistence, enabling APT actors to re-access compromised devices without re-exploiting vulnerabilities.

Refer to the below resources for additional details:

• Malware Analysis Report: FIRESTARTER Backdoor
• Emergency Directive (ED) 25-03 V1 Update: Identify and Mitigate Potential Compromise of Cisco Devices
• Supplemental Direction ED 25-03: Core Dump and Hunt Instructions
• Cisco Talos Blog: FIRESTARTER
• Cisco Security Advisory

Please share your thoughts with us through this this anonymous survey. We appreciate your feedback!