Infected Cisco firewalls need cold start to clear persistent Firestarter backdoor
Summary
Security researchers have discovered a persistent backdoor named Firestarter targeting Cisco ASA and Firepower devices, exploiting unpatched vulnerabilities before patches were available. Attackers can maintain access even after patching by exploiting specific CVEs, requiring a full power cycle or reimaging to remove the malware.
IFF Assessment
The discovery of a persistent backdoor that bypasses patching by leveraging unpatched vulnerabilities and maintaining access is a significant threat to defenders.
Severity
The vulnerabilities mentioned (CVE-2025-20333 and CVE-2025-20362) are likely to have a high attack vector and impact, enabling remote code execution and persistent access to sensitive firewall configurations.
CISA KEV: Listed as actively exploited. Federal patch due: September 26, 2025. Known ransomware use: Unknown.
Defender Context
Defenders should be aware of the Firestarter backdoor targeting Cisco firewalls and the specific CVEs that were exploited. It's crucial to implement the recommended remediation steps, including a complete power cycle, and to monitor for signs of compromise, as standard reboots are insufficient to remove the persistent backdoor.