FIRESTARTER Backdoor

APT actors deployed FIRESTARTER, a persistent Linux backdoor on Cisco Firepower and Secure Firewall devices via CVE-2025-20333 and CVE-2025-20362. The malware survives firmware patches and works with LINE VIPER to maintain remote access. Any organization running these devices is at risk of undetected command and control.

CRITICALAdvisoryApr 25, 2026

Action required

Immediately hunt Cisco Firepower and Secure Firewall devices using provided YARA rules. For confirmed compromises: generate core dumps for analysis, apply patches for CVE-2025-20333 and CVE-2025-20362, then perform hard power cycles to clear persistence.

Affected products

CiscoCISANCSCCisco FirepowerCisco ASA

CVE IDs

CVE-2025-20333 CVE-2025-20362

Linked articles

FIRESTARTER Backdoor

Source links

https://www.cisa.gov/news-events/analysis-reports/ar26-113a