FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
Summary
A backdoor named FIRESTARTER was used to compromise a Cisco Firepower device belonging to a U.S. federal civilian agency in September 2025. This malware, designed for remote access, has demonstrated the ability to persist even after security patches have been applied to the device.
IFF Assessment
FOE
The discovery of a sophisticated backdoor that can bypass patches indicates a significant threat to defenders.
Defender Context
This incident highlights the persistent threat of advanced backdoors targeting critical infrastructure. Defenders should be vigilant for signs of compromise, particularly on network devices like Cisco Firepower, and ensure robust incident response plans are in place to detect and mitigate such persistent threats, even after patching.