The U.S. cybersecurity and Infrastructure Security Agency (CISA) has disclosed that a federal civilian agency’s Cisco Firepower device, running Adaptive Security Appliance (ASA) software, was compromised with a previously unknown backdoor in September 2025. The malware, identified as FIRESTARTER, was designed to provide persistent remote access to the affected system.
CISA, in coordination with the United Kingdom’s National Cyber Security Centre (NCSC), assessed that FIRESTARTER is a sophisticated backdoor built specifically for long term access and control. The agencies noted that the infection occurred despite the device receiving current security patches, raising questions about the effectiveness of standard update procedures against advanced persistent threats.
Attack Details and Impact
The compromised device belonged to an unnamed federal civilian agency, which CISA declined to identify publicly. The incident was discovered during a routine security audit, prompting an immediate response from both U.S. and U.K. cybersecurity authorities.
According to the joint advisory, FIRESTARTER was able to bypass the device’s security measures by exploiting an unspecified vulnerability in the ASA software. The backdoor granted attackers the ability to exfiltrate data, deploy additional malware, and potentially pivot to other systems within the agency’s network.
CISA has issued an emergency directive requiring all federal agencies to inspect their Cisco Firepower appliances for signs of compromise and apply any available mitigations. The agency also noted that private sector organizations using similar hardware should consider the advisory as a best practice recommendation.
Technical Characteristics of FIRESTARTER
The NCSC’s technical analysis indicated that FIRESTARTER operates by embedding itself deep within the device’s firmware, making detection difficult through standard antivirus or intrusion detection systems. The backdoor communicates with external command and control servers using encrypted channels, masking its traffic as legitimate network activity.
The malware is believed to have been deployed through a supply chain attack or by exploiting a zero day vulnerability. Neither CISA nor the NCSC has attributed the attack to a specific nation state or threat actor, though both agencies stated that the sophistication of the malware suggests a well resourced adversary.
Security researchers have noted that FIRESTARTER’s ability to survive security patches indicates that it may have been installed before the most recent updates were applied. In some cases, the backdoor could also roll back or disable patch installation to maintain persistence.
Implications for Federal and Private Networks
This incident underscores the growing challenge of securing network infrastructure devices, which often have limited visibility and logging capabilities compared to traditional servers. Cisco Firepower appliances are widely used in both government and corporate networks for firewall and intrusion prevention services.
The fact that a federal agency’s device was compromised despite being on a patch management schedule has led to renewed calls for hardware based security features and more rigorous supply chain verification. CISA has recommended that agencies implement network segmentation, enhanced logging, and continuous monitoring for anomalous behavior as immediate countermeasures.
Cisco has not yet released a public statement regarding the vulnerability exploited by FIRESTARTER, but the company is reportedly working with CISA to develop a firmware update that will close the relevant security gap.
Looking Ahead
CISA and the NCSC have stated that their investigation into FIRESTARTER is ongoing. They expect to release additional indicators of compromise and detection rules in the coming weeks. Federal agencies have been given a 14 day deadline to complete initial scans and report any findings to CISA’s Cyber Incident Response Team.
The incident is likely to prompt a broader review of security practices for network edge devices across the federal government. Private sector organizations that rely on similar Cisco hardware are also being advised to proactively audit their systems, regardless of whether they fall under federal mandates.
Source: CISA Joint Advisory with NCSC
