Cyberscoop
Persistent Firestarter Malware Targets Cisco Firepower Devices in US Agencies
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A sophisticated backdoor malware named Firestarter has been discovered on Cisco Firepower devices, attributed to the state-sponsored threat actor UAT-4356. The malware exploits two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which were patched in September 2025 but remain exploitable if devices were compromised prior to patching. Firestarter allows attackers to maintain persistent access even after firmware updates and standard reboots by manipulating the Cisco Service Platform mount list. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the presence of Firestarter on a U.S. federal agency's device, prompting an emergency directive for all federal civilian agencies to audit their Cisco firewall infrastructure. The malware can execute arbitrary code and has been linked to a broader campaign targeting government and critical infrastructure networks. Organizations are advised to conduct thorough security checks and utilize YARA rules for detection. The incident highlights the ongoing risks associated with unpatched vulnerabilities and the need for robust cybersecurity measures.
Key Points: • Firestarter malware exploits CVE-2025-20333 and CVE-2025-20362 to maintain persistent access. • CISA has mandated federal agencies to audit their Cisco Firepower devices following the discovery. • The malware can survive firmware updates, requiring physical disconnection for complete removal.