:

FIRESTARTER MALWARE PERSISTS ON CISCO FIREWALLS

SECURITY DESK2 MIN READ
FRI, APR 24, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

U.S. and U.K. cybersecurity agencies are warning of a custom malware called Firestarter that continues to survive security updates on Cisco Firepower and Secure Firewall devices. The threat targets systems running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

Firestarter represents a significant security concern for enterprise networks worldwide. The malware has demonstrated the ability to maintain persistence on Cisco's critical security infrastructure even after organizations apply available patches and security updates. Cisco Firepower and Secure Firewall devices serve as perimeter defenses for many organizations, making them high-value targets for threat actors. The fact that Firestarter can survive standard remediation efforts suggests sophisticated design and potentially multiple persistence mechanisms. The joint warning from U.S. and U.K. authorities underscores the severity of the threat. Both nations' cybersecurity agencies, including CISA and the NCSC, have issued guidance to organizations running affected Cisco equipment. Key affected systems: - Cisco Firepower devices with ASA software - Cisco Secure Firewall devices with FTD software Organizations using these devices are advised to implement comprehensive detection and response strategies beyond standard patching. Security teams should conduct thorough investigations of their firewall infrastructure to identify potential compromise indicators. The persistence of Firestarter across security updates highlights the importance of defense-in-depth strategies. Relying solely on patches may not be sufficient against sophisticated threats targeting critical security appliances. Cisco has released guidance for affected customers, though specific technical details about the malware's persistence mechanisms remain limited. Organizations are encouraged to consult official advisories from both Cisco and their respective national cybersecurity agencies for the latest information and recommended countermeasures. This threat comes amid increasing focus on supply chain and infrastructure-level attacks targeting security appliances. Defenders should assume potential compromise and implement enhanced monitoring protocols on all Cisco firewall deployments.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.

1H AGOSecurity Desk

Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.

1H AGOAI Desk

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

6H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

6H AGOSecurity Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.