ACSC issues High Status alert for Cisco Firepower and Secure Firewall products

The Australian Cyber Security Centre (ACSC) has published a High Status alert on a previously unknown persistence mechanism that is preserved across, even when upgrading, on Cisco Firepower and Secure Firewall products running ASA or FTD software.

The alert is intended for technical teams responsible for network security, asset management and system administration in business, government and critical infrastructure sectors.

CISA and NCSC have identified new malware deployed as part of the historical exploitation of CVE-2025-20333 and CVE-2025-20362, affecting devices running Cisco Secure ASA Software or Cisco Secure FTD Software. Australian organisations can find details on this FIRESTARTER malware.

This malware can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities.

The following devices are in scope of this new malware:

• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Series
• Secure Firewall 1200 Series
• Secure Firewall 3100 Series
• Secure Firewall 4200 Series
   

Further details on the affected devices are available on the vendor advisory: Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense.

Mitigation advice

ACSC advises Australian organisations to use the IOC command available in the vendor advisory.

Additionally, ASD ACSC recommends Australian organisations carry out the following steps:

• Follow the guidance in Supplemental Direction for ED 25-03 and run show checkheaps and show tech-support detail commands. Be sure to save the full output off the device (preferably to an isolated system).
• Use the guidance in Supplemental Direction for ED 25-03 to generate a core dump from the Cisco device(s) and deploy the provided YARA rules in CISA’s Malware Analysis report.
• If FIRESTARTER is detected, report an incident to the ACSC.
• After reporting an incident, ASD ACSC’s will provide guidance on the next steps.
   

If the device has not been upgraded to a release that is listed in Cisco Event Response: Continued Attacks Against Cisco Firewalls or a later release, immediately upgrade the device to prevent a potential compromise by exploitation of the referenced vulnerabilities.

Organisations that have been impacted, suspect impact or require advice and assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).

Image credit: iStock.com/Just_Super

Originally published here.