CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network

CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network

Pierluigi Paganini
April 25, 2026

CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.

CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via…