By Linn F. Freedman
Publication Date: 2026-05-07 18:20:00
The Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have confirmed that threat actors are using FIRESTARTER malware to maintain persistence on Cisco network devices, allowing the threat actors to maintain access even after patching and reboots.
FIRESTARTER malware targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, which were previously compromised prior to September 2025.
FIRESTARTER malware enables a persistent backdoor by hooking into the device’s core engine, allowing it to survive firmware updates, software upgrades, and regular reboots. It maintains persistence by detecting shutdown signals and automatically re-installing itself, so typical remediation methods fail.
The threat actor is believed to be a state-sponsored threat actor known as UAT-4356. The attackers exploited CVE-2025-20333 (RCE) and CVE-2025-20362 (Auth Bypass)…