← CIO Briefings · Critical Impact ACTION REQUIRED

FIRESTARTER Backdoor Confirmed on US Federal Cisco Firewalls — Patching Alone Does Not Remove the Implant

A joint CISA and NCSC advisory confirms that sophisticated attackers have implanted a backdoor on Cisco Firepower and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Organisations must run vendor-provided integrity checks — not just apply patches — to confirm their devices are clean.

4 min read
#NIS2#DORA

What Happened

A joint advisory from CISA (the US Cybersecurity and Infrastructure Security Agency) and the UK’s NCSC (National Cyber Security Centre) has disclosed FIRESTARTER, a sophisticated backdoor implanted on Cisco network security appliances — specifically the Firepower Threat Defence (FTD) and Adaptive Security Appliance (ASA) product lines. The implant exploits two security vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain initial access, then installs itself in a device recovery partition that Cisco’s standard update and reimaging processes do not overwrite. At least one US federal government agency is a confirmed victim.

The critical concern for leadership is this: organisations that applied Cisco’s patches and believed they had closed the intrusion may still have compromised devices running in their environment. Standard remediation — updating firmware and rebooting the device — does not remove FIRESTARTER. A separate, manual integrity verification process specified in the advisory is required to confirm that devices are clean.

Business Impact

Cisco FTD and ASA appliances are network perimeter security devices — firewalls and intrusion prevention systems — that sit at the boundary between an organisation’s internal network and the outside world. A persistent backdoor on these devices gives an attacker continuous visibility into all network traffic passing through them, the ability to harvest credentials from internal communications, and a stable foothold for reaching internal systems on protected network segments.

CISA and NCSC attribute the campaign to a China-nexus threat actor operating in a strategic intelligence collection mode. Dwell time in confirmed victim environments may be measured in months. Organisations in government contracting, defence supply chains, financial services, energy, and critical infrastructure should treat themselves as potentially affected regardless of whether they have received a specific notification.

Regulatory Implications

NIS2-obligated operators: A confirmed FIRESTARTER compromise on perimeter devices constitutes a significant incident requiring early warning notification to the competent national authority within 24 hours of discovery, and a full incident report within 72 hours. The systemic scope of the CISA/NCSC joint advisory — covering confirmed federal agency compromise — meets the threshold for triggering reporting obligations even before internal forensic investigation is complete.

DORA-regulated entities: Assess whether a backdoored network perimeter device constitutes a major ICT-related incident under DORA Article 3(8), given that it represents continuous unauthorised access to information systems. The ICT incident register and incident classification requirements may mandate notification to financial supervisory authorities. Engage your legal and compliance teams before self-reporting timelines expire.

Board-Ready Summary

  • Attackers have installed a backdoor on widely deployed Cisco network firewalls that survives standard patching and device reimaging — organisations that patched may still be compromised.
  • Any organisation using Cisco FTD or ASA appliances that has not completed the CISA-recommended integrity verification may currently have active attacker access to its network perimeter.
  • The board must authorise emergency verification of all Cisco network security devices, accept potential operational disruption from device isolation during the process, and approve regulatory notification procedures if compromise is confirmed.
  1. Immediate (0–24 hours): Compile a complete inventory of all Cisco FTD and ASA appliances — include devices managed by third-party providers that secure your network perimeter. Download and run Cisco’s published integrity verification scripts against each appliance without delay.
  2. Immediate (0–24 hours): Isolate any device where integrity checks fail or cannot be completed. Do not reconnect to production networks until Cisco TAC has confirmed the device is clean and provided remediation guidance.
  3. Short-term (this week): Apply patches for CVE-2025-20333 and CVE-2025-20362 on any unpatched appliances. Patch application is insufficient alone but is still required as part of remediation.
  4. Short-term (this week): Preserve firewall management logs and network traffic logs before any device is reimaged. Review logs for anomalous HTTPS sessions, unexpected configuration changes, and off-hours administrative access.
  5. Short-term (this week): Engage legal and compliance teams to assess NIS2 and DORA notification obligations. If any device fails integrity checks, the regulatory clock is running.
  6. Ongoing: Implement periodic network device integrity monitoring using Cisco’s Secure Device Assurance tooling; treat perimeter devices as requiring the same integrity verification cadence applied to critical servers.