What Happened
CISA and the UK National Cyber Security Centre (NCSC) published a joint malware analysis report on April 23–24, 2026, disclosing FIRESTARTER — a Linux backdoor targeting Cisco Firepower and Secure Firewall appliances running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Cisco Talos attributed the implant to UAT-4356, the same threat actor behind the 2024 ArcaneDoor espionage campaign.
The malware exploits two n-day vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — to gain initial access. Once installed, FIRESTARTER hooks into the Cisco Service Platform (CSP) mount list, embedding itself in the device boot sequence. A standard software reboot does not remove the implant. Only a hard power cycle — physically disconnecting the appliance from its power supply — clears FIRESTARTER from memory.
CISA confirmed it discovered FIRESTARTER on a US federal civilian executive branch agency’s Cisco Firepower device through continuous network monitoring. The implant was installed before the agency applied Cisco’s September 2025 patches, and it persisted through those patches. Attackers later used the access to redeploy a second-stage payload through March 2026. CISA issued an updated Emergency Directive requiring all FCEB agencies to submit Cisco device memory snapshots for analysis by April 25.
Why This Matters for Canadian Organizations
Cisco Firepower and ASA appliances are among the most widely deployed perimeter security devices in Canadian federal departments, Crown corporations, provincial governments, financial institutions, and telecommunications providers. The fact FIRESTARTER survived patching is the critical detail: organizations that applied Cisco’s September 2025 security updates and believed themselves protected were not. The implant continued operating as a persistent access mechanism for over six months after remediation.
The Canadian Centre for Cyber Security (CCCS) has not yet issued a standalone advisory, but it co-signed the related AA26-113A advisory on Chinese-nexus covert infrastructure last week, signalling active monitoring of this threat actor class. UAT-4356 has a documented focus on espionage against government and critical infrastructure — exactly the sectors where Cisco perimeter devices are concentrated in Canada.
Any Canadian organization running Cisco Firepower Management Center (FMC), Firepower Threat Defense (FTD), or ASA appliances should treat this disclosure as a direct exposure risk. The persistence mechanism means your patch compliance records are not sufficient evidence of a clean device.
What to Do
First, identify all Cisco Firepower and ASA devices in your environment — including those managed by third-party MSPs or MSSPs. Second, review your network monitoring data for suspicious outbound connections from perimeter appliances, particularly any traffic that does not match expected management or update channels. Third, if you have any indication of prior compromise, a hard power cycle is required — a software reboot is not enough.
CISA’s malware analysis report at ar26-113a includes detection guidance and indicators of compromise. Cisco Talos published its technical breakdown of UAT-4356’s FIRESTARTER campaign at Talos Intelligence. Canadian organizations with affected devices should report to the CCCS at cyber.gc.ca.
