Image source: PJ McDonnell, Shutterstock
Federal Civilian Executive Branch agencies have until midnight April 24 to inventory Cisco Firepower and Secure Firewall devices and perform forensic core dump collection and submission.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring federal agencies to urgently hunt for and eradicate a persistent “Firestarter” backdoor affecting Cisco Firepower and Secure Firewall devices in an active cyberespionage campaign.
The emergency directive updates and supersedes guidance that the agency released on September 25, 2025, recommending a similar set of actions to protect Cisco Adaptive Security Appliances (ASA) against an exploit targeting CVE-2025-20333 and CVE-2025-20362. CISA said that at that time, it had no indication the threat actor had also exploited Cisco Firepower and Secure Firewall devices using the same vulnerabilities and had installed the Firestarter backdoor on them.
What’s happening
- Directive targets Cisco Firepower (1000, 2100, 4100, 9300) and Secure Firewall (200, 1200, 3100, 4200, 6100) devices.
- Agencies must immediately inventory affected assets and perform forensic “core dump” collection and threat hunting.
- Core dumps must be submitted via CISA’s Malware Next Gen portal by April 24, 2026 (11:59 PM EST).
What’s “Firestarter”?
- Firestarter is a Linux ELF backdoor enabling remote command-and-control access.
- It maintains persistence by relaunching itself on termination and surviving firmware updates and reboots.
- The malware exploits previously disclosed flaws—CVE-2025-20333 (RCE) and CVE-2025-20362 (privilege escalation).
- Persistence survives patching, allowing attackers to retain access even after remediation.
- Affects perimeter security infrastructure, increasing risk of long-term network compromise and espionage.
What CISA wants agencies to do
- If compromised: Keep device powered on, disconnect from network, and report to CISA for IR guidance.
- If not compromised:
- Apply latest Cisco updates and patches by April 24, 2026.
- Perform a hard power reset (unplug device) by April 30, 2026, because reboots alone are insufficient.
- Continue applying future updates within 48 hours of release.
Observed trend
- Evolution of earlier activity targeting Cisco ASA devices (see Sept. 2025 guidance) now expanded to Firepower and Secure Firewall.
- Demonstrates growing use of firmware-level persistence mechanisms by advanced threat actors.
Bottom line
CISA is treating this as a high-priority persistence threat on critical network infrastructure. Patching alone is insufficient; agencies must validate, hunt, and physically reset devices to ensure eviction.
Private sector users of Cisco Firepower and Secure Firewall devices should also assume potential exposure and follow the same guidance immediately, as the activity is unlikely limited to government networks.
Key links
April 23, 2026 Emergency Directive: https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
Original Sept, 2025 advisory: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
Firestarter backdoor: https://www.cisa.gov/news-events/analysis-reports/ar26-113a