"CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including 

, which allowed remote code execution with VPN credentials, and 

, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests."

tech

Here we go again...


"CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including [CVE-2025-20333](https://securityaffairs.com/182593/hacking/u-s-cisa-adds-cisco-secure-firewall-asa-and-secure-ftd-flaws-to-its-known-exploited-vulnerabilities-catalog.html), which allowed remote code execution with VPN credentials, and [CVE-2025-20362](https://securityaffairs.com/182593/hacking/u-s-cisa-adds-cisco-secure-firewall-asa-and-secure-ftd-flaws-to-its-known-exploited-vulnerabilities-catalog.html), which enabled unauthenticated access to restricted endpoints via crafted HTTP requests."