The Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have confirmed that threat actors are using FIRESTARTER malware to maintain persistence on Cisco network devices, allowing the threat actors to maintain access even after patching and reboots.
FIRESTARTER malware targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, which were previously compromised prior to September 2025.
FIRESTARTER malware enables a persistent backdoor by hooking into the device’s core engine, allowing it to survive firmware updates, software upgrades, and regular reboots. It maintains persistence by detecting shutdown signals and automatically re-installing itself, so typical remediation methods fail.
The threat actor is believed to be a state-sponsored threat actor known as UAT-4356. The attackers exploited CVE-2025-20333 (RCE) and CVE-2025-20362 (Auth Bypass) to install the malware. Because Firestarter survives standard patches, CISA warns that patching alone is insufficient if the device was compromised before a patch was installed. It recommends several measures, including physically unplugging the device from all power sources (including redundant power) for at least one minute. In addition, CISA and Cisco recommend completely wiping and reimaging affected Cisco devices to ensure the malware is completely removed.
