The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report on Firestarter after examining a sample recovered during a forensic investigation, warning that advanced persistent threat (APT) hackers are using the malware to maintain access to publicly exposed Cisco Firepower and Secure Firewall devices. Developed as a backdoor, Firestarter enables remote control of systems running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, according to a joint assessment with the U.K. National Cyber Security Centre.
Alongside the report, CISA issued Emergency Directive 25-03, mandating federal civilian executive branch (FCEB) agencies to identify and mitigate potential compromise of affected Cisco devices. The advisory reflects sustained targeting of these platforms, with officials warning that the exposure extends beyond government networks to any organization operating internet-facing firewall infrastructure.
“FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software. CISA encourages organizations using these devices or software to review the FIRESTARTER report, assess devices for compromise, implement mitigations, and report any findings to CISA,” Nick Andersen, CISA acting director, said in a media statement last week. “Every day, CISA works with federal government and industry partners to assess cyber threats and publish actionable information for organizations to better protect themselves and ensure the integrity of their digital infrastructure.”
FIRESTARTER is a Linux ELF malware built for Cisco Firepower and Secure Firewall devices, functioning as a command-and-control backdoor for remote access. It maintains persistence by relaunching when terminated and can survive firmware updates and reboots, requiring a full power cycle to remove. The malware embeds a hook into LINA, the device’s core processing engine, allowing attackers to intercept operations and execute arbitrary shell code. This capability enables further payload deployment, including LINE VIPER.
During proactive monitoring of Cisco ASA devices used by FCEB agencies, CISA detected FIRESTARTER malware that enabled post-patching persistence. CISA analysis determined that firmware patching actions on compromised devices did not necessarily remove an existing threat from hackers. CISA updates to ED 25-03 include identifying specified Firepower and Secure Firewall devices, collecting forensic data, and applying new vendor-provided updates.
As FCEB agencies implement the new ED 25-03 requirements, CISA will monitor compliance, provide technical assistance and deliver additional resources as needed.
“CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software,” according to the malware analysis report. “CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions.”
It added that the malware outlined is relevant for Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software.
The report pointed out that through continuous monitoring, CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample—named FIRESTARTER- on the Firepower device.”
In this incident, APT hackers initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device. Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised before patching may remain vulnerable because Firestarter is not removed by firmware updates.
The CISA assesses, but has not confirmed, that APT hackers gained initial access by exploiting CVE-2025-20333 and or CVE-2025-20362. The exact timing remains unclear, though the intrusion likely began in early September 2025, before patches were applied under Emergency Directive 25-03.
Investigators found that attackers used LINE VIPER to establish unauthorized VPN sessions that bypassed authentication controls, leveraging dormant but valid user accounts. This access exposed the full configuration of the compromised Firepower device, including administrative credentials, certificates, and private keys.
Before remediation, the hackers deployed Firestarter as a persistent backdoor, allowing it to survive patching and maintain command and control on the device. This foothold enabled them to regain access later without re-exploiting the original vulnerabilities, with further activity observed as recently as March 2026.
FCEBs are required to collect and submit core dumps to the Cybersecurity and Infrastructure Security Agency Malware Next Generation platform. They must immediately report the submission to CISA’s 24/7 Operations Center, after which the agency will provide next steps. No further action should be taken until CISA issues additional guidance.
Other organizations are advised to use YARA rules to detect FIRESTARTER malware in disk images or core dumps of affected devices. Any findings should be reported to the CISA or the NCSC. If a compromise is confirmed, organizations should proceed with appropriate incident response actions.
The CISA and NCSC urge organizations to strengthen baseline defenses in line with Cross-Sector Cybersecurity Performance Goals 2.0, developed with the National Institute of Standards and Technology. The guidance centers on tightening exposure at the network edge and reducing the window for exploitation.
Organizations are advised to maintain up-to-date patching across systems, prioritizing vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog, while recognizing that patching alone may not eliminate entrenched persistence mechanisms. A clear inventory of network edge devices, particularly Cisco infrastructure, is critical, alongside continuous monitoring for suspicious connections linked to known threat activity.
The agencies also stress stronger control over privileged access as a frontline defense. This includes auditing administrator and service account activity, enforcing least-privilege access, and rotating credentials regularly to disrupt unauthorized footholds. Beyond immediate mitigation, organizations are encouraged to modernize administrative controls, including encrypting authentication and accounting traffic to limit interception risks. The message is direct, with visibility, access discipline, and consistent hygiene remaining the difference between a contained incident and a persistent compromise.
Last November, the CISA identified ongoing cyber threats targeting Cisco ASA and Firepower devices and issued new guidance to mitigate zero-day vulnerabilities that persist through reboots and upgrades. The implementation guidance builds on the agency’s September Emergency Directive 25-03, which detailed known vulnerabilities and required immediate mitigation measures. Hackers continue to exploit these devices, posing significant risks to organizations across sectors.
