FIRESTARTER Backdoor
Summary
CISA and the UK's NCSC have identified a backdoor malware named FIRESTARTER, being used by APT actors to target publicly accessible Cisco Firepower and Secure Firewall devices running ASA or FTD software. The malware is designed for persistence and has been observed in the wild on Cisco Firepower devices running ASA software.
IFF Assessment
FIRESTARTER is a new backdoor malware being used by APT actors, indicating an active and sophisticated threat to network infrastructure.
Severity
CISA KEV: Listed as actively exploited. Federal patch due: September 26, 2025. Known ransomware use: Unknown.
Defender Context
This alert is critical for organizations using Cisco Firepower and Secure Firewall devices. Defenders should immediately investigate potential compromises using the provided YARA rules and consider submitting core dumps to CISA for further analysis. This highlights the ongoing threat of APTs exploiting network device vulnerabilities for persistent access.