Find notable cyber news and cases, enriched with sources, timelines, and signals.

FIRESTARTER malware on Cisco ASA and FTD devices

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

CISA has published analysis of FIRESTARTER, a malware strain that enables remote access and control on Cisco Firepower and Secure Firewall devices, raising the risk of persistent compromise. The assessment says an APT actor used CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy the malware. FIRESTARTER can survive post-patching persistence, so remediation may not remove an existing intruder. CISA also issued new required actions in Emergency Directive 25-03 for FCEB agencies and urged defenders to check for compromise and apply vendor updates.

Related Happenings

CISA sets June 28 patch deadline for Cisco Unified Communications Manager Server

Public Sector Action
H score35 First: 26.06.2026 22:43 Last: 26.06.2026 22:43 Sources 1

About this happening: CISA ordered **federal agencies** to patch **CVE-2026-20230** in **Cisco Unified Communications Manager Server** by **June 28**, tightening exposure around an **actively exploited...

CISA BOD 26-04 three-day remediation directive

Public Sector Action
H score36 First: 24.06.2026 17:35 Last: 24.06.2026 17:35 Sources 1

About this happening: CISA's **BOD 26-04** requires **federal agencies** to apply available security updates or vendor-recommended mitigations within **three days**, accelerating remediation for **acti...

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
H score60 First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

CISA KEV listing and FCEB firewall directive for CVE-2026-0300

Public Sector Action
H score64 First: 07.05.2026 13:57 Last: 07.05.2026 13:57 Sources 1

About this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...

Cisco security patch release for CVE-2026-20188

Security Patch Release
H score35 First: 06.05.2026 21:06 Last: 06.05.2026 21:06 Sources 1

About this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...

Timeline

  1. 24.04.2026 23:34 1 articles · 2mo ago

    CISA, NCSC-UK, and Cisco detail Firestarter persistence on Cisco Firepower and Secure Firewall devices

    Technical Analysis Update

    CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.

    Show sources
  2. 23.04.2026 15:00 1 articles · 2mo ago

    CISA and NCSC-UK disclose FIRESTARTER on Cisco ASA and FTD devices

    Initial Disclosure

    CISA and the United Kingdom National Cyber Security Centre published a malware analysis report on FIRESTARTER, a backdoor targeting Cisco Firepower and Secure Firewall products running ASA or FTD software; they assessed that an APT actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER, and CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, and apply vendor-provided updates.

    Show sources