Cisco firewall vulnerabilities: persistent malware threat

Cisco firewall vulnerabilities: persistent malware threat

Recent advisories from US and UK cybersecurity agencies have highlighted Cisco firewall vulnerabilities, with a new malware strain called Firestarter that persists even after devices are patched. This threat exposes organisations to ongoing risk, requiring specific remediation steps beyond standard patching.

Firestarter malware: how it works and why it’s dangerous

Discovery and affected devices

The Firestarter malware was jointly disclosed by the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC). It targets Cisco Firepower and Adaptive Security Appliance (ASA) devices, which are commonly used by government, enterprise and critical infrastructure networks. The campaign began in late 2025 and has been linked to state-sponsored threat actors tracked as UAT-4356.

Exploited vulnerabilities

Attackers exploited two vulnerabilities in Cisco devices: CVE-2025-20333, a remote code execution flaw in the VPN web server, and CVE-2025-20362, an unauthorised access vulnerability. Although Cisco released patches in September 2025, compromised devices remain at risk if they were infected before patching. The malware survives routine firmware updates and software reboots, making it unusually persistent.

Persistence mechanism and backdoor functionality

Firestarter achieves persistence by manipulating the Service Platform mount list, a configuration file that determines which programs run during boot. When a device reboots or receives a termination signal, Firestarter copies itself to a secondary location and alters the mount list to ensure it launches again. Only a hard reboot, involving physical power disconnection, removes the implant.

• Malware survives firmware updates and standard reboots
• Manipulates Cisco Service Platform mount list for persistence
• Injects malicious shellcode into core networking code (LINA)
• Intercepts network requests to enable a secret backdoor
• Requires a hard reboot for full removal

Once embedded, Firestarter monitors VPN authentication requests. If it detects a hidden trigger sequence, it executes attacker-supplied code, granting ongoing access to the compromised device.

Why Cisco firewall vulnerabilities require urgent attention

Implications for organisations

Persistent malware on network perimeter devices is especially concerning. Firestarter enables attackers to maintain access even after organisations believe they have patched and remediated vulnerabilities. This undermines confidence in standard update processes and may leave critical infrastructure exposed for extended periods.

Devices affected by Firestarter include those patched after infection. As a result, traditional response steps, such as applying vendor updates and performing software reboots, are insufficient. Attackers can use the backdoor to exfiltrate sensitive data, monitor network traffic, or launch additional attacks against internal systems.

Regulatory and operational impact

In response to the discovery, CISA issued an emergency directive requiring US federal agencies to audit all Cisco firewall infrastructure and submit device memory snapshots for analysis. Similar actions are recommended for organisations worldwide, given the wide deployment of affected devices.

• Compliance requirements may increase for critical infrastructure operators
• Incident response plans should be updated to address persistent threats
• Ongoing monitoring is essential to detect unusual device behaviour

Mitigating Cisco firewall vulnerabilities: practical steps for organisations

Immediate actions for IT teams

Organisations should take the following steps to address Cisco firewall vulnerabilities and the Firestarter malware:

1. Identify affected devices: Audit Cisco Firepower and ASA devices, especially those patched after September 2025.
2. Collect memory snapshots: Submit device memory snapshots to trusted analysts or vendors for forensic examination.
3. Perform hard reboots: Physically disconnect and reconnect devices to remove persistent malware from memory.
4. Apply the latest patches: Ensure all Cisco security updates are installed.
5. Monitor for unusual activity: Use continuous network monitoring to detect suspicious connections or authentication requests.

Strengthening long-term resilience

Beyond immediate remediation, organisations should revise their security processes to account for persistent threats. This includes:

• Updating incident response plans to include hard reboot steps
• Training IT staff to recognise signs of advanced persistent malware
• Establishing relationships with trusted cybersecurity partners for forensic analysis
• Regularly reviewing vendor advisories for new vulnerability disclosures

Key takeaways for professionals

Cisco firewall vulnerabilities such as Firestarter demonstrate that patching alone may not be enough to secure network devices. Persistent malware can survive standard remediation procedures and requires a combination of technical and operational responses. Organisations must remain vigilant, audit their perimeter infrastructure, and be prepared to take decisive action when new threats emerge.

By understanding the mechanics of Firestarter and following recommended mitigation steps, organisations can reduce their risk and maintain the integrity of their critical systems.

Originally reported by CyberScoop.