(TLP:CLEAR) FIRESTARTER Backdoor and Updated Emergency Directive for CISCO Firepower and Secure Firewall Devices
Created: Thursday, April 23, 2026 - 15:41
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
Summary: Today, CISA released a Malware Analysis Report (MAR) that analyzes a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the UK Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
Additionally, CISA also released an update to its Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, which outlines required actions for U.S. Federal Civilian Executive Branch agencies. CISA urges all other U.S. organizations to review the MAR, take necessary actions, and report any findings to CISA.
Analyst Note: The MAR and updated Emergency Directive highlights a sophisticated persistence mechanism targeting network edge devices (Cisco Firepower and Secure Firewall appliances), which are critical control points in enterprise and OT network architectures. Unlike typical post-exploitation malware, FIRESTARTER is designed to maintain long-term access even after vulnerabilities are remediated.
CISA notes that improper actions (e.g., rebooting or patching prior to forensic collection) may hinder detection, and that full power disconnection may be required to ensure persistence is removed.
WaterISAC encourages members to review the MAR, which contains detailed analysis of the FIRESTARTER malware, including its persistence mechanisms, detection methods (e.g., YARA rules and memory analysis), and recommended response actions to identify, contain, and remediate potential compromises of affected Cisco devices.
Original Sources: https://www.cisa.gov/news-events/analysis-reports/ar26-113a
Additional Reading:
Related WaterISAC PIRs: 6, 8, 10, 10.2, 11, 12