[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:firestarter-backdoor-moeh6xo2":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":14,"action_required":20,"article_ids":21,"ioc_summary":23,"source_urls":24,"status":26,"expires_at":27,"created_at":28,"updated_at":29,"articles":30},"7e9e845b-5f54-4b78-a583-1764dae1a381","FIRESTARTER Backdoor","firestarter-backdoor-moeh6xo2","APT actors deployed FIRESTARTER, a persistent Linux backdoor on Cisco Firepower and Secure Firewall devices via CVE-2025-20333 and CVE-2025-20362. The malware survives firmware patches and works with LINE VIPER to maintain remote access. Any organization running these devices is at risk of undetected command and control.","critical","advisory",[12,13],"CVE-2025-20333","CVE-2025-20362",[15,16,17,18,19],"Cisco","CISA","NCSC","Cisco Firepower","Cisco ASA","Immediately hunt Cisco Firepower and Secure Firewall devices using provided YARA rules. For confirmed compromises: generate core dumps for analysis, apply patches for CVE-2025-20333 and CVE-2025-20362, then perform hard power cycles to clear persistence.",[22],"a78c84a3-115d-483b-9bed-262c14d46a1e",null,[25],"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fanalysis-reports\u002Far26-113a","archived","2026-04-27T15:09:48.008+00:00","2026-04-25T15:09:49.76689+00:00","2026-04-27T16:05:21.499363+00:00",[31],{"id":22,"title":6,"url":25}]