The Cybersecurity and Infrastructure Security Agency (CISA) has published a malware analysis report on FIRESTARTER malware. This malware allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. In conjunction with this report, CISA issued new required actions for Federal Civilian Executive Branch (FCEB) agencies in Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Threat actors continue to target these devices and products, posing significant risks to all organizations.
This malware analysis report, co-sealed with United Kingdom National Cyber Security Centre (NCSC-UK), provides organizations with the knowledge to help them detect and respond to FIRESTARTER. This report provides technical details on threat actor activity, FIRESTARTER’s secret to achieving persistence, as well as recommended detection methods, mitigations and actions for incident response. In this report, CISA and NCSC-UK assess that an advanced persistent threat (APT) actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER on Firepower and Secure Firewall devices.
“FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software. CISA encourages organizations using these devices or software to review the FIRESTARTER report, assess devices for compromise, implement mitigations, and report any findings to CISA,” said CISA Acting Director Nick Andersen. “Every day, CISA works with federal government and industry partners to assess cyber threats and publish actionable information for organizations to better protect themselves and ensure the integrity of their digital infrastructure.”
During proactive monitoring of Cisco ASA devices used by FCEB agencies, CISA detected FIRESTARTER malware that enabled post-patching persistence. CISA analysis determined that firmware patching actions on compromised devices did not necessarily remove an existing threat actor. CISA updates to ED 25-03 include identifying specified Firepower and Secure Firewall devices, collecting forensic data, and applying new vendor-provided updates.
As FCEB agencies implement the new ED 25-03 requirements, CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed.
CISA urges network defenders using Cisco Firepower and Secure Firewall products running ASA or FTD software to review all applicable resources for this release and implement recommended actions.
For more information, please visit Cybersecurity Directives.
The original announcement can be found here.
