Executive Summary
In April 2026, cybersecurity agencies in the U.S. and U.K. identified a persistent malware named Firestarter targeting Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The threat actor, tracked as UAT-4356, exploited vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain initial access, deploying the Line Viper malware followed by Firestarter to maintain access even after patches were applied. Firestarter achieves persistence by integrating into the core Cisco ASA process, LINA, and survives reboots, firmware updates, and security patches. (bleepingcomputer.com)
This incident underscores the evolving sophistication of cyber threats targeting critical infrastructure. Organizations must prioritize timely patching, implement robust monitoring, and adopt comprehensive security measures to mitigate such persistent threats.
Why This Matters Now
The Firestarter malware's ability to persist through updates and patches highlights the urgent need for organizations to reassess their security protocols and ensure comprehensive defenses against advanced persistent threats targeting critical infrastructure.
Attack Path Analysis
The threat actor exploited vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to Cisco firewall devices. They deployed the Line Viper malware to establish a foothold and extract sensitive configuration data. Using the compromised credentials and data, the attacker moved laterally within the network. The Firestarter backdoor was installed to maintain persistent access and control over the compromised devices. The attacker exfiltrated sensitive data from the network. The attack resulted in unauthorized access to critical systems and potential data breaches.
Kill Chain Progression
Initial Compromise
Description
The threat actor exploited vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to Cisco firewall devices.
Related CVEs
CVE-2025-20333
CVSS 9.9A buffer overflow vulnerability in Cisco Secure Firewall ASA and FTD Software allows unauthenticated, remote attackers to execute arbitrary code.
Affected Products:
Cisco Adaptive Security Appliance (ASA) Software – 9.12 up to 9.12.4.72, 9.14 up to 9.14.4.28, 9.16 up to 9.16.4.84, 9.17.1 up to 9.18.4.57, 9.19.1 up to 9.19.1.42, 9.20.1 up to 9.20.3.16, 9.22 up to 9.22.2, 9.23 up to 9.23.1.3
Cisco Firepower Threat Defense (FTD) Software – 7.0.0 up to 7.0.8, 7.1.0 up to 7.2.10, 7.3.0 up to 7.4.2.3, 7.6.0, 7.7.0 up to 7.7.10
Exploit Status:
exploited in the wildCVE-2025-20362
CVSS 8.6A missing authorization vulnerability in Cisco Secure Firewall ASA and FTD Software allows unauthenticated, remote attackers to access restricted URL endpoints.
Affected Products:
Cisco Adaptive Security Appliance (ASA) Software – 9.12 up to 9.12.4.72, 9.14 up to 9.14.4.28, 9.16 up to 9.16.4.84, 9.17.1 up to 9.18.4.57, 9.19.1 up to 9.19.1.42, 9.20.1 up to 9.20.3.16, 9.22 up to 9.22.2, 9.23 up to 9.23.1.3
Cisco Firepower Threat Defense (FTD) Software – 7.0.0 up to 7.0.8, 7.1.0 up to 7.2.10, 7.3.0 up to 7.4.2.3, 7.6.0, 7.7.0 up to 7.7.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Process Injection
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: Pillar 3: Devices
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face critical APT exposure through compromised Cisco firewalls enabling persistent backdoor access, lateral movement, and data exfiltration despite security patches.
Financial Services
Banking infrastructure vulnerable to Firestarter malware persistence on Cisco devices, threatening PCI compliance and enabling unauthorized access to sensitive financial data systems.
Health Care / Life Sciences
Healthcare networks at risk from firewall-based APT attacks compromising HIPAA compliance through persistent backdoors enabling patient data theft and system compromise.
Information Technology/IT
IT service providers face supply chain risks from compromised network security appliances, threatening zero trust architectures and enabling multi-client lateral movement attacks.
Sources
- Firestarter malware survives Cisco firewall updates, security patcheshttps://www.bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/Verified
- UAT-4356's Targeting of Cisco Firepower Deviceshttps://blog.talosintelligence.com/uat-4356-firestarter/Verified
- Cisco Security Advisory: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defensehttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03Verified
- CISA Alert: AR26-113Ahttps://www.cisa.gov/news-events/analysis-reports/ar26-113aVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in firewall devices could have been constrained, potentially reducing unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and access sensitive configuration data could have been limited, potentially reducing unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network could have been constrained, potentially reducing unauthorized access.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access and control over compromised devices could have been limited, potentially reducing unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data from the network could have been constrained, potentially reducing unauthorized access.
The overall impact of unauthorized access to critical systems and potential data breaches could have been reduced, potentially limiting the attacker's success.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- Remote Access Services
- VPN Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of administrative credentials, certificates, and private keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic flows.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Regularly update and patch systems to mitigate known vulnerabilities.
