CISA Orders Federal Agencies to Hunt for Persistent Cisco “Firestarter” Backdoor
What Happened – CISA and the U.K. NCSC disclosed a previously unknown, persistent backdoor (“Firestarter”) embedded in Cisco Adaptive Security Appliance (ASA) and Firepower devices on a federal civilian network. The implant can survive reboots, firmware upgrades and standard patching, giving attackers remote code execution within core system processes.
Why It Matters for TPRM –
- The backdoor leverages two Cisco‑published CVEs (CVE‑2025‑20333, CVE‑2025‑20362) that were already mandated for remediation, yet infection persists after patching.
- Federal‑level supply‑chain compromise signals a high likelihood of similar exposure in private‑sector organizations that run identical Cisco hardware.
- Persistent implants that survive normal hardening undermine traditional vulnerability‑management controls, requiring deeper forensic and continuous‑monitoring capabilities.
Who Is Affected – Government agencies, contractors, and any enterprise that deploys Cisco ASA/Firepower perimeter devices (e.g., telecom, finance, healthcare, cloud providers).
Recommended Actions –
- Inventory all Cisco ASA and Firepower appliances; verify firmware versions and patch status.
- Conduct a dedicated “Firestarter” hunt using CISA‑provided IOC signatures and network‑traffic baselines.
- Collect system artifacts (memory dumps, config files) for forensic analysis.
- Review third‑party risk contracts for clauses covering supply‑chain malware and ensure vendors can provide evidence of remediation.
Technical Notes – The implant is delivered via a shellcode loader previously tracked as “Line Viper” and then establishes persistence through a custom backdoor. It exploits CVE‑2025‑20333 (remote code execution) and CVE‑2025‑20362 (privilege escalation). The backdoor survives reboots and firmware upgrades, rendering standard patch cycles insufficient. Source: DataBreachToday