The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that a Cisco Firepower device from a federal civilian agency was compromised in September 2025. The attack used a new malware called FIRESTARTER, designed as a backdoor for persistent remote access. The finding was shared alongside the United Kingdom's National Cyber Security Centre (NCSC).
FIRESTARTER: a backdoor that ignores security updates 🔥
The FIRESTARTER malware operates as a backdoor that allows attackers to maintain remote control of the compromised device. Most concerning is that it managed to survive the security patches applied to the Cisco Firepower device running Adaptive Security Appliance (ASA) software. This indicates that the malware employs advanced persistence techniques, possibly hiding in memory or exploiting undocumented firmware flaws, making detection and eradication through conventional patching methods difficult.
The patch that patched nothing, but still charged 💀
Network administrators applied patches hoping to sleep soundly, but FIRESTARTER decided to stay living on the router like that tenant who doesn't pay rent. CISA and the NCSC now recommend reviewing logs, but surely the attacker has already erased their tracks while enjoying a virtual coffee. The only thing more persistent than this malware is the bureaucracy to approve a password change.