FIRESTARTER Backdoor Persists on Cisco Firepower Devices After Patching — Federal Agency Confirmed Victim

A Backdoor That Outlives the Patch

A joint advisory from CISA and the UK’s NCSC published on April 25 describes FIRESTARTER, an implant targeting Cisco Firepower Threat Defence (FTD) and Adaptive Security Appliance (ASA) devices that is specifically engineered to survive firmware updates, full reimaging, and the vendor-provided remediation tools organisations apply after detecting a compromise. At least one confirmed victim is a US federal agency.

FIRESTARTER exploits two vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — in the Cisco FTD and ASA platforms to achieve initial execution. Once present, the implant writes itself into a recovery partition that Cisco’s standard update mechanisms do not overwrite, allowing it to reinstate itself each time the device boots. Attackers retain persistent authenticated access to the network edge while defenders believe they have remediated the intrusion.

What FIRESTARTER Does

Once installed, FIRESTARTER provides threat actors with several capabilities:

• Encrypted command-and-control over HTTPS on port 443, blending with normal firewall management traffic
• Traffic interception at the packet level, enabling credential harvesting from unencrypted interior protocols
• Lateral movement staging — the compromised device can be used as a relay to pivot to segmented network zones
• Persistence through recovery — the implant modifies Cisco’s ROMMON bootloader environment, allowing re-establishment even after full factory reset

The advisory attributes the activity as consistent with a China-nexus threat actor, though CISA and NCSC have not publicly named a specific group. Confirmed victims span government, critical infrastructure, and defence-adjacent sectors.

Why Standard Remediation Fails

The persistence mechanism is the operationally critical element. Most incident response playbooks treat “wipe and reinstall firmware” as the definitive remediation step for a compromised network device. FIRESTARTER was explicitly designed to break this assumption. Organisations that applied Cisco’s patches for CVE-2025-20333 and CVE-2025-20362 but did not follow the integrity verification steps outlined in the advisory may still have compromised devices in their environment.

CVE-2025-20333 is a command injection flaw in the FTD management interface (CVSS 9.1); CVE-2025-20362 is an authentication bypass affecting the ASA web management interface (CVSS 9.4). Both vulnerabilities have had patches available since Q4 2025. The attack chain shows exploitation predated patching at multiple victims, and the subsequent implant survived the patch cycle — precisely as it was designed to do.

Recommended Actions

• Consult the joint advisory immediately and run Cisco’s published integrity verification scripts against all FTD and ASA appliances — do not rely on firmware version checks alone
• Isolate suspect devices from management networks until integrity checks complete; treat any device that handled external traffic during the vulnerability window as potentially compromised
• Apply patches for CVE-2025-20333 and CVE-2025-20362 on all FTD/ASA appliances if not already done; check Cisco’s PSIRT portal for the latest ROMMON and firmware versions
• Review firewall management traffic logs for anomalous HTTPS sessions to external IP addresses, particularly during off-hours
• Engage Cisco TAC for any devices where the advisory’s integrity verification scripts report anomalies — do not attempt self-remediation without vendor guidance
• Assess regulatory notification obligations if compromise is confirmed: NIS2 operators must issue early-warning notification within 24 hours of discovery

The advisory is the clearest signal yet that perimeter devices are being treated by sophisticated adversaries not merely as entry points but as persistent footholds. Any posture that assumes a patched firewall is a clean firewall needs revisiting.