





















Firestarter backdoor found targeting Cisco Firepower and Secure Firewall devices despite upgrades.
The Australian Signals Directorate’s Australian Cyber Security Centre circulated a High Alert: Act Quickly directive regarding backdoor malware targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense software.
The ACSC’s warning came on the heels of a similar alert shared by the United States Cybersecurity & Infrastructure Security Agency in cooperation with the United Kingdom’s National Cyber Security Centre.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
“ASD’s ACSC is aware of new information on a previously unknown persistence mechanism that is preserved across even when upgrading on Cisco Firepower and Secure Firewall products running ASA or FTD software,” the ACSC said in an April 24 alert.
“This malware can persist as an active threat on Cisco devices, the ACSC warned, “maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities.”
The following devices are impacted:
The agencies’ warnings come a day after Cisco’s own cyber security arm, Talos, revealed details of the malicious campaign.
The current campaign exploits a pair of n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which allow the threat actor (currently tracked by Talos as UAT-4356) to gain access to vulnerable devices, after which the threat actor deploys a custom backdoor malware, which Talos has called, perhaps unsurprisingly, Firestarter.
The backdoor allows for remote access and the execution of arbitrary code.
According to Talos, UAT-4356 was also responsible for a state-sponsored 2024 campaign that also targeted Cisco devices, which the company dubbed ArcaneDoor at the time.
“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Talos said.
“Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.”
You can read Cisco's full security advisory here.
Want to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Tags:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。