--===============1496568950690023782==
Content-Type: multipart/alternative; boundary="===============5513062989450116112=="
MIME-Version: 1.0
--===============5513062989450116112==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Cybersecurity and Infrastructure Security Agency (CISA)
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infras= tructure Security Agency. This information has recently been updated and is=
now available.
CISA Releases Malware Analysis Report: FIRESTARTER Backdoor and Updated Eme= rgency Directive for Cisco Firepower and Secure Firewall Devices [
https://= www.cisa.gov/news-events/analysis-reports/ar26-113a ] 04/23/2026 12:00 PM E= ST=20
Today, CISA and the United Kingdom National Cyber Security Centre (NCSC-UK)=
released a Malware Analysis Report [
https://www.cisa.gov/news-events/anal= ysis-reports/ar26-113a ] (MAR) on FIRESTARTER, a persistent backdoor malwar=
e specifically targeting publicly accessible Cisco Firepower and Secure Fir= ewall devices running Adaptive Security Appliance (ASA) or Firepower Threat=
Defense software. This release coincides with the updated Emergency Direct= ive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices=
[
https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mit= igate-potential-compromise-cisco-devices ], which outlines required actions=
for U.S. Federal Civilian Executive Branch agencies. All other U.S. organi= zations are urged to review the MAR, take necessary actions, and report any=
findings to CISA.
FIRESTARTER enables remote access and control by advanced persistent threat=
(APT) actors and can survive firmware patching and device reboots. Initial=
access to Cisco ASA firmware was gained by exploiting CVE-2025-20333 [CWE-= 862: Missing Authorization] [
https://www.cve.org/CVERecord?id=3DCVE-2025-2= 0333 ] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow] [
https://w= ww.cve.org/CVERecord?id=3DCVE-2025-20362 ]. The malware can persist and mai= ntain post-patching persistence, enabling APT actors to re-access compromis=
ed devices without re-exploiting vulnerabilities.
Refer to the below resources for additional details:
* Malware Analysis Report: FIRESTARTER Backdoor [
https://www.cisa.gov/ne= ws-events/analysis-reports/ar26-113a ]=20
* Emergency Directive (ED) 25-03 V1 Update: Identify and Mitigate Potenti=
al Compromise of Cisco Devices [
https://www.cisa.gov/news-events/directive= s/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ]=20
* Supplemental Direction ED 25-03: Core Dump and Hunt Instructions [ http= s://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-cor= e-dump-and-hunt-instructions ]=20
* Cisco Talos Blog: FIRESTARTER [
https://blog.talosintelligence.com/uat-= 4356-firestarter/ ]=20
* Cisco Security Advisory [
https://sec.cloudapps.cisco.com/security/cent= er/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 ]=20
Please share your thoughts with us through this this anonymous survey [ htt= ps://cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?Source=3DGov= Delivery
https://www.cisa.gov/news-events/analysis-reports/ar26-113a ]. We a= ppreciate your feedback!
This product is provided subject to this=C2=A0Notification [
https://www.ci= sa.gov/notification ]=C2=A0and this=C2=A0Privacy & Use [
https://www.cisa.g= ov/privacy-policy ]=C2=A0policy.
body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight=
: normal; font-style: normal; color: #333333; }=20
Having trouble viewing this message?=C2=A0View it as a webpage [
https://co= ntent.govdelivery.com/accounts/USDHSCISA/bulletins/414353b ].=C2=A0 [ https= ://content.govdelivery.com/accounts/USDHS/bulletins/292141e ]
You are subscribed to updates from the Cybersecurity and Infrastructure Sec= urity Agency [
https://www.cisa.gov ] (CISA)
Manage Subscriptions [
https://public.govdelivery.com/accounts/USDHSCISA/su= bscriber/edit?preferences=3Dtrue#tab1 ]=C2=A0=C2=A0|=C2=A0=C2=A0Privacy Pol= icy [
https://www.cisa.gov/privacy-policy ]=C2=A0=C2=A0|=C2=A0 Help [ https= ://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center ] [ https:/= /insights.govdelivery.com/Communications/Subscriber_Help_Center ]
Connect with CISA:=20
Facebook [
https://www.facebook.com/CISA ]=C2=A0 |=C2=A0 Twitter [
https://= twitter.com/CISAgov ]=C2=A0 |=C2=A0 Instagram [
https://Instagram.com/cisag=
ov ]=C2=A0 |=C2=A0 LinkedIn [
https://www.linkedin.com/company/cybersecurit= y-and-infrastructure-security-agency ]=C2=A0 |=C2=A0=C2=A0 YouTube [ https:= //www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A ]
________________________________________________________________________
This email was sent to
cisa@toolazy.synchro.net using GovDelivery Communica= tions Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency=
=C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202 GovDelivery logo [ =
https://subscriberhelp.granicus.com/ ]=20
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margi= n-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_displa=
y img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; ma= rgin-right:0px;}
--===============5513062989450116112==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"
http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en"> <head>
<title> CISA Releases Malware Analysis Report: FIRESTARTER Backdoor and = Updated Emergency Directive for Cisco Firepower and Secure Firewall Devices </title>
</head>
<body style=3D"">
<table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"=
align=3D"center">
<tr>
<td>
<!--[if (gte mso 9)|(IE)]>
<table style=3D"display:none"><tr><td><a name=3D"gd_top" id=3D"gd_top"></= a></td></tr></table>
<![endif]-->
<a name=3D"gd_top" id=3D"gd_top"></a>
=20
<p><img src=3D"
https://content.govdelivery.com/attachments/fancy_images/U= SDHSCISA/2020/06/3486054/05152023-gov-delivery-banner-copy_original.png" al= t=3D"Cybersecurity and Infrastructure Security Agency (CISA)" title=3D"" wi= dth=3D"600" height=3D"100"></p>
<p>You are subscribed to Cybersecurity Advisories for Cybersecurity and I= nfrastructure Security Agency. This information has recently been updated a=
nd is now available.</p>
<div class=3D"rss_item" style=3D"margin-bottom: 2em;">
<div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; margi=
n: 0 0 0.3em; padding: 0;"><a href=3D"
https://www.cisa.gov/news-events/anal= ysis-reports/ar26-113a" target=3D"_blank" title=3D"CISA Releases Malware An= alysis Report: FIRESTARTER Backdoor and Updated Emergency Directive for Cis=
co Firepower and Secure Firewall Devices" rel=3D"noopener">CISA Releases Ma= lware Analysis Report: FIRESTARTER Backdoor and Updated Emergency Directive=
for Cisco Firepower and Secure Firewall Devices</a></div>
<div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; co= lor: #666666; margin: 0 0 0.3em; padding: 0;">04/23/2026 12:00 PM EST</div> <div class=3D"l-page-section l-page-section--rich-text csaf-imported">
<div class=3D"l-constrain">
<div class=3D"l-page-section__content">
<p>Today, CISA and the United Kingdom National Cyber Security Centre (NCSC-= UK) released a <a href=3D"
https://www.cisa.gov/news-events/analysis-reports= /ar26-113a" target=3D"_blank" title=3D"Malware Analysis Report" rel=3D"noop= ener">Malware Analysis Report</a> (MAR) on FIRESTARTER, a persistent backdo=
or malware specifically targeting publicly accessible Cisco Firepower and S= ecure Firewall devices running Adaptive Security Appliance (ASA) or Firepow=
er Threat Defense software. This release coincides with the updated <a href= =3D"
https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mi= tigate-potential-compromise-cisco-devices" target=3D"_blank" title=3D"Emerg= ency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Ci= sco Devices" rel=3D"noopener">Emergency Directive (ED) 25-03: Identify and = Mitigate Potential Compromise of Cisco Devices</a>, which outlines required=
actions for U.S. Federal Civilian Executive Branch agencies. All other U.S=
. organizations are urged to review the MAR, take necessary actions, and re= port any findings to CISA.</p>
<p>FIRESTARTER enables remote access and control by advanced persistent thr= eat (APT) actors and can survive firmware patching and device reboots. Init= ial access to Cisco ASA firmware was gained by exploiting <a href=3D"https:= //www.cve.org/CVERecord?id=3DCVE-2025-20333" target=3D"_blank" title=3D"CVE= -2025-20333 [CWE-862: Missing Authorization]" rel=3D"noopener">CVE-2025-203=
33 [CWE-862: Missing Authorization]</a> and/or <a href=3D"
https://www.cve.o= rg/CVERecord?id=3DCVE-2025-20362" target=3D"_blank" title=3D"CVE-2025-20362=
[CWE-120: Classic Buffer Overflow]" rel=3D"noopener">CVE-2025-20362 [CWE-1= 20: Classic Buffer Overflow]</a>. The malware can persist and maintain post= -patching persistence, enabling APT actors to re-access compromised devices=
without re-exploiting vulnerabilities.</p>
<p>Refer to the below resources for additional details:</p>
<li><a href=3D"
https://www.cisa.gov/news-events/analysis-reports/ar26-113a"=
target=3D"_blank" title=3D"Malware Analysis Report: FIRESTARTER Backdoor" = rel=3D"noopener">Malware Analysis Report: FIRESTARTER Backdoor</a></li>
<li><a href=3D"
https://www.cisa.gov/news-events/directives/v1-ed-25-03-iden= tify-and-mitigate-potential-compromise-cisco-devices" target=3D"_blank" tit= le=3D"Emergency Directive (ED) 25-03 V1 Update: Identify and Mitigate Poten= tial Compromise of Cisco Devices" rel=3D"noopener">Emergency Directive (ED)=
25-03 V1 Update: Identify and Mitigate Potential Compromise of Cisco Devic= es</a></li>
<li><a href=3D"
https://www.cisa.gov/news-events/directives/supplemental-dir= ection-ed-25-03-core-dump-and-hunt-instructions" target=3D"_blank" title=3D= "Supplemental Direction ED 25-03: Core Dump and Hunt Instructions" rel=3D"n= oopener">Supplemental Direction ED 25-03: Core Dump and Hunt Instructions</= a></li>
<li><a href=3D"
https://blog.talosintelligence.com/uat-4356-firestarter/" ta= rget=3D"_blank" title=3D"Cisco Talos Blog: FIRESTARTER" rel=3D"noopener">Ci= sco Talos Blog: FIRESTARTER</a></li>
<li><a href=3D"
https://sec.cloudapps.cisco.com/security/center/content/Cisc= oSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03" target=3D"_blank" ti= tle=3D"Cisco Security Advisory" rel=3D"noopener">Cisco Security Advisory</a= ></li>
</ul>
<p>Please share your thoughts with us through this this <a href=3D"
https://= cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?Source=3DGovDeliv= ery
https://www.cisa.gov/news-events/analysis-reports/ar26-113a" target=3D"_= blank" title=3D"anonymous survey" rel=3D"noopener">anonymous survey</a>. We=
appreciate your feedback!</p>
</div>
</div>
</div>
<div class=3D"l-constrain l-page-section--rich-text">
<div class=3D"l-page-section__content">
<div class=3D"c-field c-field--name-body c-field--type-text-with-summary c-= field--label-hidden">
<div class=3D"c-field__content">
<p>This product is provided subject to this=C2=A0<a href=3D"
https://www.cis= a.gov/notification" target=3D"_blank" title=3D"Notification" rel=3D"noopene= r">Notification</a>=C2=A0and this=C2=A0<a href=3D"
https://www.cisa.gov/priv= acy-policy" target=3D"_blank" title=3D"Privacy & Use" rel=3D"noopener">= Privacy & Use</a>=C2=A0policy.</p>
</div>
</div>
</div>
</div>
</div>
<style>body {
font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: norma=
l; font-style: normal; color: #333333;
}
</style>
=20
<div id=3D"mail_footer">
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; colo=
r: #757575;">Having trouble viewing this message?=C2=A0</span><a href=3D"ht= tps://content.govdelivery.com/accounts/USDHSCISA/bulletins/414353b" target= =3D"_blank" rel=3D"noopener">View it as a webpage</a>.=C2=A0<a href=3D"http= s://content.govdelivery.com/accounts/USDHS/bulletins/292141e" target=3D"_bl= ank" rel=3D"noopener"></a><span style=3D"font-size: 10.0pt; color: #757575;= "></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">You are subscribed to updates from the </span><a href=3D"
https://w= ww.cisa.gov"><span style=3D"font-size: 10.0pt;">Cybersecurity and Infrastru= cture Security Agency</span></a><span style=3D"font-size: 10.0pt; color: #7= 57575;"> (CISA)<br></span><a href=3D"
https://public.govdelivery.com/account= s/USDHSCISA/subscriber/edit?preferences=3Dtrue#tab1" target=3D"_blank" rel= =3D"noopener"><span style=3D"font-size: 10.0pt; color: #00568c;">Manage Sub= scriptions</span></a>=C2=A0=C2=A0<span style=3D"font-size: 10.0pt; color: #= 757575;">|=C2=A0=C2=A0</span><a href=3D"
https://www.cisa.gov/privacy-policy=
" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; colo=
r: #00568c;">Privacy Policy</span></a><span style=3D"font-size: 10.0pt; col= or: #757575;">=C2=A0=C2=A0|=C2=A0 <a href=3D"
https://subscriberhelp.granicu= s.com/s/article/Subscriber-Help-Center" target=3D"_blank" rel=3D"noopener">= Help</a><a href=3D"
https://insights.govdelivery.com/Communications/Subscrib= er_Help_Center" target=3D"_blank" rel=3D"noopener"></a></span><span style= =3D"font-size: 10.0pt; color: #757575;"></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">Connect with CISA: <br></span><a href=3D"
https://www.facebook.com/= CISA" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; = color: #00568c;">Facebook</span></a><span style=3D"font-size: 10.0pt; color=
: #757575;">=C2=A0 |=C2=A0 </span><a href=3D"
https://twitter.com/CISAgov" t= arget=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: = #00568c;">Twitter</span></a><span style=3D"font-size: 10.0pt; color: #75757= 5;">=C2=A0 |=C2=A0 </span><a href=3D"
https://Instagram.com/cisagov" target= =3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: #0056= 8c;">Instagram</span></a><span style=3D"font-size: 10.0pt; color: #757575;"= >=C2=A0 |=C2=A0 </span><a href=3D"
https://www.linkedin.com/company/cybersec= urity-and-infrastructure-security-agency" target=3D"_blank" rel=3D"noopener= "><span style=3D"font-size: 10.0pt; color: #00568c;">LinkedIn</span></a><sp=
an style=3D"font-size: 10.0pt; color: #757575;">=C2=A0 |=C2=A0=C2=A0 </span= ><a href=3D"
https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A" targe= t=3D"_self"><span style=3D"font-size: 10.0pt; color: #00568c;">YouTube</spa= n></a><span style=3D"font-size: 10.0pt; color: #757575;"></span></p>
</div>
<div id=3D"tagline">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=
<tbody>
<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D= "89%">This email was sent to
cisa@toolazy.synchro.net using GovDelivery Com= munications Cloud, on behalf of: Cybersecurity and Infrastructure Security = Agency =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202</td>
<td align=3D"right" width=3D"11%"><a href=3D"
https://subscriberhelp.granicu= s.com/" target=3D"_blank" rel=3D"noopener"><img src=3D"
https://content.govd= elivery.com/images/govd-logo-dark.png" border=3D"0" alt=3D"GovDelivery logo=
" width=3D"115"></a></td>
</tr>
</tbody>
</table>
<style type=3D"text/css">body .abe-column-block { min-height: 5px; } table.= gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_ta= ble div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell=
img {margin-left:0px; margin-right:0px;}</style>
</div>
</td>
</tr>
</table>
<img alt=3D"" src=3D"
https://links-2.govdelivery.com/CI0/0101019dbb0c1301-e= 667441a-0f93-495e-a9c1-6a835a84c965-000000/wuwYOx52SaCcPqJlCzkRNRhIE0RzUrQQ= 7cM46Ia3v5c=3D452" style=3D"display: none; width: 1px; height: 1px;">
</body>
</html>
--===============5513062989450116112==--
--===============1496568950690023782==--