On April 23, 2026, CISA and the UK’s National Cyber Security Centre published a joint malware analysis report on a custom backdoor called FIRESTARTER, alongside an updated version of Emergency Directive 25-03. The implant survives patching, reboots, and firmware upgrades on Cisco Firepower and Secure Firewall devices. It hides inside the LINA process that powers ASA functionality. And buried in the supplemental guidance is a sentence that should make every detection engineer pause: Sigma rules are not effective.
That last point is the one worth talking about.
The short version of what happened#
CISA originally issued ED 25-03 in September 2025 in response to active exploitation of two Cisco vulnerabilities. CVE-2025-20333 is a buffer overflow that allows remote code execution. CVE-2025-20362 is a privilege escalation flaw. Cisco patched both in September. The threat actor is the same group Cisco tracks as ArcaneDoor, which prior public reporting has linked to state-nexus operators.
The investigation kept going. CISA’s forensic work on a federal civilian agency confirmed that before the September patches landed, the actor had already deployed FIRESTARTER as a persistence mechanism. The intrusion likely began in early September 2025, and follow-on activity was observed as recently as March 2026. That is roughly six months of post-exploitation access on a federal network, on a device that had presumably been patched somewhere along the way.
The April 2026 update to ED 25-03 expands the scope to Firepower 1000, 2100, 4100, 9300 series and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices, requires a complete inventory submitted to CISA by May 1, 2026, and mandates core dump collection and submission to CISA’s Malware Next Generation platform.
What makes FIRESTARTER different from a normal CVE story#
Three properties of this implant are worth understanding, because they generalize beyond Cisco.
First, the implant is platform-aware. FIRESTARTER hooks XML request handling inside LINA, the core process Cisco ASA uses for network and security functions, by injecting code into a library text segment. That is not generic Linux malware that happens to run on a network appliance. That is tradecraft built by someone who understood Cisco internals well enough to abuse them deliberately. The same pattern has shown up in Ivanti Connect Secure, Fortinet FortiGate, Palo Alto PAN-OS, Juniper Junos, and F5 BIG-IP over the last two years. Edge devices are no longer being treated as packet filters by sophisticated actors. They are being treated as long-lived footholds inside trust boundaries.
Second, it is persistent through the standard remediation playbook. Patch, reboot, firmware upgrade, none of those remove FIRESTARTER from a Firepower or Secure Firewall device. The persistence mechanism is engineered specifically to outlive the response actions a typical operations team will take when a CVE drops. Cisco ASA hardware itself is not vulnerable to the FIRESTARTER persistence layer, only to the initial CVEs, but the Firepower and Secure Firewall product lines are.
Third, and this is the part that should reshape how detection programs think about edge devices, FIRESTARTER does not generate the kind of telemetry that log-based detection relies on. The CISA malware analysis report is direct about it. The implant does not produce useful log events or obvious anomalies in standard monitoring. CISA released YARA rules to scan core dumps and disk images. It did not release Sigma rules, because it explicitly states they would not work.
The detection gap, said out loud#
A federal directive telling defenders that Sigma rules are not effective against a specific implant is rare. Stop and read that sentence again. The detection model most modern SOCs are built around, ship logs to a SIEM, write detection-as-code in Sigma, alert on anomalies, is being publicly described as insufficient for this class of compromise.
That is kind of a big deal, because the implication is not that Sigma is broken. Sigma is doing exactly what it was designed to do. The problem is upstream. Edge devices generate a narrow slice of telemetry compared to endpoints and servers. Most of what a SOC sees from a firewall is connection logs, AAA events, and management plane activity. None of that is going to surface a process injection into LINA. The signal is in memory, in process introspection, and on disk, in places that conventional logging pipelines never reach.
This is the part of the story that most coverage is missing. FIRESTARTER is not just a Cisco problem. It is a representative example of a class of compromise that the current detection stack handles poorly. If your detection program assumes that no logs equals no problem, that assumption was already wrong, and a Five Eyes advisory just made it official.
What this means in practice#
The defensive implications fall into a few distinct buckets.
For network and infrastructure teams, asset visibility becomes the front line. The directive’s inventory requirement is impossible to meet on time if you do not already know which Firepower and Secure Firewall devices you operate, where they live, and what software they run. Manual asset tracking is not going to cut it for the May 1 deadline, and it is not going to cut it for the next one either. The pattern of edge device compromise is not slowing down.
For detection engineering teams, this is the moment to take a hard look at coverage on edge devices specifically. If your only telemetry from a perimeter firewall is syslog and SNMP, you have very limited ability to detect implants that operate below the management plane. Memory analysis, periodic core dumps, integrity monitoring of device firmware, and disk image scanning with YARA rules are all on the table. None of those are easy. All of them are getting more important.
For incident response teams, the anti-forensics warning matters. CISA’s supplemental direction explicitly tells responders not to use tab autocomplete on a suspect device, because doing so can trigger anti-forensics routines that destroy evidence. That is an operational control that needs to be in your playbook, with the right people trained on it, before you need it.
For threat intel teams, the broader pattern is the story. ArcaneDoor, Salt Typhoon, Volt Typhoon, and the long tail of edge-device campaigns over the last three years all point in the same direction. Sophisticated actors are building purpose-built implants for specific appliance families and using them to maintain quiet, long-term access at trust boundaries. The next FIRESTARTER will not target Cisco. Plan accordingly.
Where this fits in the bigger picture#
FIRESTARTER is significant because it forces an uncomfortable conversation that the industry has been avoiding. Edge devices sit at trust boundaries. They hold credentials, certificates, and private keys. They have privileged visibility into traffic on both sides of the boundary. They are also rarely instrumented with the same depth of telemetry as endpoints or servers, and they are increasingly being targeted by actors who understand that imbalance.
The patch-and-move-on model assumes that closing the door also evicts whoever walked through it. That assumption fails when the adversary has had time to build persistence into the device’s operational plumbing. FIRESTARTER is the case study CISA and the NCSC chose to publish, but it is not the only one in the wild. The defensive answer is not a single product. It is a shift in how we treat edge devices in detection programs, in incident response playbooks, and in the inventory hygiene that underpins both.
The federal directive applies to FCEB agencies. The lesson does not stop there.
References#
- CISA Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices: https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
- CISA Supplemental Direction ED 25-03: Core Dump and Hunt Instructions: https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
- CISA bulletin announcing FIRESTARTER MAR: https://content.govdelivery.com/accounts/USDHSCISA/bulletins/414353b
- BankInfoSecurity coverage: https://www.bankinfosecurity.com/cisa-hunts-for-cisco-backdoor-spotted-on-federal-network-a-31505
- Industrial Cyber coverage: https://industrialcyber.co/ransomware/cisa-ncsc-warn-firestarter-malware-enabling-persistent-backdoor-access-to-exposed-cisco-firewall-infrastructure/
