Firestarter Backdoor Compromises Federal Cisco Firepower Appliance, Evades Security Patches
What Happened – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that a federal civilian agency’s Cisco Firepower Adaptive Security Appliance (ASA) was infected with the FIRESTARTER backdoor in September 2025. The malware provides persistent remote‑access capabilities and continued to operate even after Cisco released subsequent security patches.
Why It Matters for TPRM –
- A widely‑deployed network‑security platform can be silently compromised, exposing downstream vendors and customers.
- Persistence despite patches indicates a sophisticated, possibly zero‑day exploit that may affect other organizations using the same appliance.
- Federal‑level compromise raises the risk profile for any third‑party that relies on Cisco Firepower for perimeter defense.
Who Is Affected – Federal civilian agencies, any enterprise or service provider that deploys Cisco Firepower/ASA devices (e.g., telecom, cloud providers, critical‑infrastructure operators).
Recommended Actions –
- Verify whether any of your third‑party vendors use Cisco Firepower or ASA appliances.
- Request evidence of patch validation and post‑patch monitoring from those vendors.
- Conduct a focused audit for indicators of compromise (IoCs) associated with FIRESTARTER.
- Review incident‑response playbooks for backdoor persistence and ensure network segmentation limits lateral movement.
Technical Notes – The FIRESTARTER backdoor appears to exploit an undisclosed vulnerability in the ASA codebase, granting remote command execution and data exfiltration. No public CVE has been assigned yet; CISA and the U.K. NCSC label it a “remote‑access backdoor” that survived Cisco’s March 2026 security update. Source: The Hacker News