Firestarter backdoor found targeting Cisco Firepower and Secure Firewall devices despite upgrades.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) circulated a High Alert: Act Quickly directive regarding a backdoor malware targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense software.
The ACSC’s warning came on the heels of a similar alert shared by the United States Cybersecurity and Infrastructure Security Agency (CISA) in cooperation with the United Kingdom’s National Cyber Security Centre (NCSC).
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Keep me signed in on this device.
If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later.
If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later.
JavaScript is required for CAPTCHA verification to submit this form.
Create free account to get unlimited news articles and more!
First Name
Last Name
Mobile
Organisation Type
By becoming a member, I agree to receive information and promotional messages from Cyber Daily.
I can opt out of these communications at any time.
For more information, please visit our
Privacy Statement.
Need help signing up? Visit the
Help Centre.
“ASD’s ACSC is aware of new information on a previously unknown persistence mechanism that is preserved across even when upgrading on Cisco Firepower and Secure Firewall products running ASA or FTD software,” the ACSC said in a 24 April alert.
“This malware can persist as an active threat on Cisco devices,” the ACSC warned, “maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities”.
The following devices are impacted:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Series
- Secure Firewall 1200 Series
- Secure Firewall 3100 Series
- Secure Firewall 4200 Series
The agencies’ warnings come a day after Cisco’s own cyber security arm, Talos, revealed details of the malicious campaign.
The current campaign exploits a pair of n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which allow the threat actor (currently tracked by Talos as UAT-4356) to gain access to vulnerable devices, after which the threat actor deploys a custom backdoor malware, which Talos has called, perhaps unsurprisingly, Firestarter.
The backdoor allows for remote access and the execution of arbitrary code.
According to Talos, UAT-4356 was also responsible for a state-sponsored 2024 campaign that also targeted Cisco devices, which the company dubbed ArcaneDoor at the time.
“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Talos said.
“Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.”
You can read Cisco’s full security advisory here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
