Back

Persistent Firestarter Malware Targets Cisco Firepower Devices in US Agencies

Severity: High (Score: 79.0)

Sources: Technologydecisions.Au, sec.cloudapps.cisco.com, attack.mitre.org, Theregister, censys.com

Summary

A sophisticated backdoor malware named Firestarter has been discovered on Cisco Firepower devices, attributed to the state-sponsored threat actor UAT-4356. The malware exploits two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which were patched in September 2025 but remain exploitable if devices were compromised prior to patching. Firestarter allows attackers to maintain persistent access even after firmware updates and standard reboots by manipulating the Cisco Service Platform mount list. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the presence of Firestarter on a U.S. federal agency's device, prompting an emergency directive for all federal civilian agencies to audit their Cisco firewall infrastructure. The malware can execute arbitrary code and has been linked to a broader campaign targeting government and critical infrastructure networks. Organizations are advised to conduct thorough security checks and utilize YARA rules for detection. The incident highlights the ongoing risks associated with unpatched vulnerabilities and the need for robust cybersecurity measures. Key Points: • Firestarter malware exploits CVE-2025-20333 and CVE-2025-20362 to maintain persistent access. • CISA has mandated federal agencies to audit their Cisco Firepower devices following the discovery. • The malware can survive firmware updates, requiring physical disconnection for complete removal.

Key Entities

  • AppleJeus (malware)
  • AppleSeed (malware)
  • 4H RAT (malware)
  • AcidPour (malware)
  • Action RAT (malware)
  • Apt18 (apt_group)
  • Apt19 (apt_group)
  • APT3 (apt_group)
  • Apt32 (apt_group)
  • Apt37 (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • Continued Attacks Against Cisco Firewalls (campaign)
  • Contagious Interview (campaign)
  • Cisco (company)
  • Cybersecurity and Infrastructure Security Agency (company)
  • National Cyber Security Centre (company)
  • Talos (company)
  • Microsoft Azure (company)
  • China (country)
  • Iran (country)
  • North Korea (country)
  • Russia (country)
  • CVE-2025-20333 (cve)
  • CVE-2025-20362 (cve)
  • CWE-120 - Classic Buffer Overflow (cwe)
  • Cwe-122 - Heap-based Buffer Overflow (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Government (industry)
  • Akira (ransomware_group)
  • Blackbyte (ransomware_group)
  • CMD (tool)
  • Enum4linux (tool)
  • Esxcli (tool)
  • Systeminfo (tool)
  • Systemsetup (tool)
  • T1012 - Query Registry (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1082 - System Information Discovery (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • ASA (platform)
  • Cisco Adaptive Security Appliance (platform)
  • Cisco ASA (platform)
  • Cisco Firepower (platform)
  • Cisco Firepower FXOS (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed