Security Intelligence
Loading table of contents...
At a glance: In April 2026, U.S. and UK cyber authorities disclosed a previously unknown persistence mechanism, tracked as FIRESTARTER, discovered on Cisco firewall infrastructure protecting a U.S. federal civilian agency. Analysis confirmed that the mechanism can survive security patches released in September 2025, allowing continued access to affected devices unless remediation extends beyond routine patching. The activity underscores the business risk of perimeter device compromise and reinforces that patching alone does not always equate to full remediation.
Threat summary
On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre reported on a previously unknown backdoor, FIRESTARTER.
The backdoor was identified during forensic investigation of suspicious activity on Cisco firewall infrastructure used by a U.S. federal civilian agency. Its persistence mechanism survived installation of Cisco security updates released in September 2025, meaning affected devices may remain compromised unless remediation extends beyond routine patching.
The threat actor targeted Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) platforms, which are commonly deployed as network perimeter firewalls and VPN gateways. These devices routinely process sensitive network traffic, authenticate remote users, and enforce security policy at the network edge.
Initial access was gained by exploiting two previously disclosed vulnerabilities:
- CVE‑2025‑20333, a remote code execution flaw with a CVSS score of 9.9
- CVE‑2025‑20362, an authentication bypass flaw with a CVSS score of 6.5
Cisco released patches for both vulnerabilities in September 2025.
FIRESTARTER operates as a Linux executable integrated into the Cisco firewall environment and enables remote access and code execution within the LINA process, which is responsible for core packet handling and security functions.
Persistence is achieved by modifying components of the Cisco Firepower eXtensible Operating System, allowing the implant to survive firmware upgrades and normal software reboots. Cisco confirmed that a standard reboot does not remove the persistence mechanism.
Cisco attributes this activity to a threat actor it tracks as UAT-4356, which has previously been associated with the Chinese state actors targeting network perimeter devices.
Analysis
Cisco firewall’s privileged position means a successful compromise provides persistent and covert access that is overlooked by many traditional security controls.
Both Cisco and CISA emphasize that patching alone does not guarantee remediation if FIRESTARTER is already present. Device integrity can be validated through analysis of core dumps or memory images and by aligning findings with vendor and government advisories.
Devices confirmed to be compromised require reimaging or a full power cycle followed by application of current vendor updates to remove the persistent implant.
Additional risk reduction includes reviewing firewall and VPN access logs for anomalous activity, limiting exposure of management interfaces to untrusted networks, and integrating perimeter device integrity checks into broader processes.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
