CISA Warns of FIRESTARTER Malware Targeting Cisco ASA including Firepower and Secure Firewall Products

PRESS RELEASE CISA Warns of FIRESTARTER Malware Targeting Cisco ASA including Firepower and Secure Firewall Products Agency Updates Emergency Directive 25-03 with New Actions to Identify and Mitigate Potential Compromise ReleasedApril 23, 2026 RELATED TOPICS: CYBER THREATS AND RESPONSE, MALWARE, PHISHING, AND RANSOMWARE WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) published a malware analysis report today on FIRESTARTER, malware that allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. In conjunction with this report, CISA issued new required actions for Federal Civilian Executive Branch (FCEB) agencies in Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Threat actors continue to target these devices and products, posing significant risks to all organizations.   This malware analysis report, co-sealed with United Kingdom National Cyber Security Centre (NCSC-UK), provides organizations with the knowledge to help them detect and respond to FIRESTARTER. This report provides technical details on threat actor activity, FIRESTARTER’s secret to achieving persistence, as well as recommended detection methods, mitigations and actions for incident response. In this report, CISA and NCSC-UK assess that an advanced persistent threat (APT) actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER on Firepower and Secure Firewall devices.   “FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software. CISA encourages organizations using these devices or software to review the FIRESTARTER report, assess devices for compromise, implement mitigations, and report any findings to CISA,” said CISA Acting Director Nick Andersen. “Every day, CISA works with federal government and industry partners to assess cyber threats and publish actionable information for organizations to better protect themselves and ensure the integrity of their digital infrastructure.”    During proactive monitoring of Cisco ASA devices used by FCEB agencies, CISA detected FIRESTARTER malware that enabled post-patching persistence. CISA analysis determined that firmware patching actions on compromised devices did not necessarily remove an existing threat actor. CISA updates to ED 25-03 include identifying specified Firepower and Secure Firewall devices, collecting forensic data, and applying new vendor-provided updates.     As FCEB agencies implement the new ED 25-03 requirements, CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed.    CISA urges network defenders using Cisco Firepower and Secure Firewall products running ASA or FTD software to review all applicable resources for this release and implement recommended actions.    For more information, please visit Cybersecurity Directives. ### About CISA As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.  Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.  Related Articles APR 10, 2024 PRESS RELEASE CISA Announces Malware Next-Gen Analysis AUG 31, 2023 PRESS RELEASE U.S. and International Partners Release Report on Russian Cyber Actors Using “Infamous Chisel” Malware MAR 13, 2023 PRESS RELEASE CISA Establishes Ransomware Vulnerability Warning Pilot Program DEC 14, 2022 PRESS RELEASE Readout of Second Joint Ransomware Task Force Meeting