FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
Summary
Hide ▲
Show ▼
CISA has published analysis of FIRESTARTER, a malware strain that enables remote access and control on Cisco Firepower and Secure Firewall devices, raising the risk of persistent compromise. The assessment says an APT actor used CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy the malware. FIRESTARTER can survive post-patching persistence, so remediation may not remove an existing intruder. CISA also issued new required actions in Emergency Directive 25-03 for FCEB agencies and urged defenders to check for compromise and apply vendor updates.
Related Happenings
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
Vulnerability
First: 14.05.2026 23:09
Last: 14.05.2026 23:09
Sources 1
About this happening:
**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
VulnerabilityAbout this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Latest development: 14.05.2026 23:25
Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector Action
First: 07.05.2026 13:57
Last: 07.05.2026 13:57
Sources 1
About this happening:
**CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
Cisco security patch release for CVE-2026-20188
Security Patch Release
First: 06.05.2026 21:06
Last: 06.05.2026 21:06
Sources 1
About this happening:
**Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...
Cisco security patch release for CVE-2026-20188
Security Patch ReleaseAbout this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
How related:
“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert.
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentHow related: “CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert.
About this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
How related:
"Although Cisco's patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates."
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityHow related: "Although Cisco's patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates."
About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Timeline
-
24.04.2026 23:34 1 articles · 1mo ago
CISA, NCSC-UK, and Cisco detail Firestarter persistence on Cisco Firepower and Secure Firewall devices
Technical Analysis UpdateCISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
Show sources
- Firestarter malware survives Cisco firewall updates, security patches — www.bleepingcomputer.com — 24.04.2026 23:34
-
23.04.2026 15:00 1 articles · 1mo ago
CISA and NCSC-UK disclose FIRESTARTER on Cisco ASA and FTD devices
Initial DisclosureCISA and the United Kingdom National Cyber Security Centre published a malware analysis report on FIRESTARTER, a backdoor targeting Cisco Firepower and Secure Firewall products running ASA or FTD software; they assessed that an APT actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER, and CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, and apply vendor-provided updates.
Show sources
- CISA Warns of FIRESTARTER Malware Targeting Cisco ASA including Firepower and Secure Firewall Products — www.cisa.gov — 23.04.2026 15:00