Twisted Firestarter! Aussie, US, UK cyber agencies warn of Cisco malware campaign

“ASD’s ACSC is aware of new information on a previously unknown persistence mechanism that is preserved across even when upgrading on Cisco Firepower and Secure Firewall products running ASA or FTD software,” the ACSC said in a 24 April alert.

“This malware can persist as an active threat on Cisco devices,” the ACSC warned, “maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities”.

The following devices are impacted:

• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Series
• Secure Firewall 1200 Series
• Secure Firewall 3100 Series
• Secure Firewall 4200 Series

The agencies’ warnings come a day after Cisco’s own cyber security arm, Talos, revealed details of the malicious campaign.

The current campaign exploits a pair of n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which allow the threat actor (currently tracked by Talos as UAT-4356) to gain access to vulnerable devices, after which the threat actor deploys a custom backdoor malware, which Talos has called, perhaps unsurprisingly, Firestarter.

The backdoor allows for remote access and the execution of arbitrary code.

VIEW ALL

According to Talos, UAT-4356 was also responsible for a state-sponsored 2024 campaign that also targeted Cisco devices, which the company dubbed ArcaneDoor at the time.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Talos said.

“Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.”

You can read Cisco’s full security advisory here.