Executive Summary
In April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) disclosed that a state-sponsored hacking group implanted a persistent backdoor, named Firestarter, on Cisco network security devices. This malware allowed attackers to maintain access even after firmware updates and standard reboots. The campaign, active since at least late 2025, targeted government and critical infrastructure networks by exploiting vulnerabilities CVE-2025-20333 and CVE-2025-20362 in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. (cyberscoop.com)
The Firestarter malware achieves persistence by manipulating the device's boot sequence, enabling it to survive standard software reboots. This incident underscores the evolving sophistication of state-sponsored cyber threats and highlights the critical need for organizations to implement comprehensive monitoring and incident response strategies to detect and mitigate such persistent threats. (cyberscoop.com)
Why This Matters Now
The Firestarter malware's ability to persist post-patching and across reboots signifies a significant escalation in cyber threat capabilities, emphasizing the urgent need for organizations to reassess and strengthen their cybersecurity defenses against advanced persistent threats.
Attack Path Analysis
Attackers exploited vulnerabilities in Cisco ASA and FTD devices to gain unauthorized access, escalate privileges, move laterally within networks, establish command and control channels, exfiltrate sensitive data, and disrupt operations.
Kill Chain Progression
Initial Compromise
Description
Exploited CVE-2025-20362 to access restricted URLs without authentication, gaining initial foothold.
Related CVEs
CVE-2025-20333
CVSS 9.9A buffer overflow vulnerability in the VPN web server component of Cisco Secure Firewall ASA and FTD Software allows unauthenticated, remote attackers to execute arbitrary code.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – 9.12.4.72, 9.14.4.28, 9.16.4.84, 9.17.1, 9.19.1, 9.20.3.16, 9.22.2, 9.23.1.3
Cisco Secure Firewall Threat Defense (FTD) Software – 7.0.8, 7.2.10, 7.4.2.3, 7.7.10
Exploit Status:
exploited in the wildCVE-2025-20362
CVSS 8.6A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software allows unauthenticated, remote attackers to access restricted URL endpoints without authentication.
Affected Products:
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – 9.12.4.72, 9.14.4.28, 9.16.4.84, 9.17.1, 9.19.1, 9.20.3.16, 9.22.2, 9.23.1.3
Cisco Secure Firewall Threat Defense (FTD) Software – 7.0.8, 7.2.10, 7.4.2.3, 7.7.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Traffic Signaling
Masquerading
Valid Accounts
Boot or Logon Autostart Execution
Hijack Execution Flow
Impair Defenses
Application Layer Protocol
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face critical infrastructure compromise through persistent Cisco firewall backdoors enabling state-sponsored espionage and credential theft despite patches.
Financial Services
Banking networks vulnerable to persistent firewall implants allowing lateral movement, encrypted traffic interception, and compliance violations under PCI requirements.
Telecommunications
Network infrastructure providers at high risk from edge device compromise enabling traffic interception, VPN credential theft, and service disruption.
Utilities
Critical infrastructure networks exposed to state-sponsored attacks through compromised security appliances allowing persistent access and operational technology infiltration.
Sources
- US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were appliedhttps://cyberscoop.com/cisco-firestarter-malware-cisa-warning/Verified
- Cisco Secure Firewall ASA and FTD Software Buffer Overflow Vulnerabilityhttps://nvd.nist.gov/vuln/detail/CVE-2025-20333Verified
- Cisco Secure Firewall ASA and FTD Software Unauthorized Access Vulnerabilityhttps://nvd.nist.gov/vuln/detail/CVE-2025-20362Verified
- Cisco Secure Firewall ASA and FTD Software Vulnerabilitieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt operations by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to access restricted URLs without authentication would likely be constrained, reducing the risk of unauthorized initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and execute arbitrary code as root would likely be limited, reducing the risk of full device control.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of accessing additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish persistent command and control channels would likely be limited, reducing the risk of remote control over compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external servers would likely be constrained, reducing the risk of data loss.
The attacker's ability to deploy malware and disrupt operations would likely be limited, reducing the risk of operational impact.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- Remote Access VPN Services
- Firewall Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive government and critical infrastructure data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Multicloud Visibility & Control to monitor and manage network traffic across environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Apply Secure Hybrid Connectivity (DCE) to ensure secure communication between on-premises and cloud environments.
