Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 24 Apr 2026
Last updated: 24 Apr 2026

Content written for

Large organisations & infrastructure
Government

This alert is intended for technical teams responsible for network security, asset management, and system administration in business, government, and critical infrastructure sectors.

Background

ASD’s ACSC is aware of new information on a previously unknown persistence mechanism that is preserved across even when upgrading on Cisco Firepower and Secure Firewall products running ASA or FTD software.

CISA and NCSC have identified new malware deployed as part of the historical exploitation of CVE-2025-20333 and CVE-2025-20362, affecting devices running Cisco Secure ASA Software or Cisco Secure FTD Software. Australian organisations can find details on this FIRESTARTER malware.

This malware can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities.

The following devices are in scope of this new malware:

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Series
  • Secure Firewall 1200 Series
  • Secure Firewall 3100 Series
  • Secure Firewall 4200 Series

Further details on the affected devices are available on the vendor advisory Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense.

Mitigation advice

ASD’s ACSC advises Australian organisations to use the IOC command available in the vendor advisory.

Additionally, ASD ACSC recommends Australian organisations to do the following steps:

  • Follow the guidance in Supplemental Direction for ED 25-03 and run “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system).
  • Use the guidance in Supplemental Direction for ED 25-03 to generate a core dump from the Cisco device(s) and deploy the provided YARA rules in CISA’s Malware Analysis report.
  • If FIRESTARTER is detected, report an incident to the ASD’s ACSC.  
  • After reporting an incident, ASD ACSC’s will provide guidance on next steps. 

If the device has not been upgraded to a release that is listed in Cisco Event Response: Continued Attacks Against Cisco Firewalls or a later release, immediately upgrade the device to prevent a potential compromise by exploitation of the referenced vulnerabilities.

Where to get help

Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371)

Was this helpful?
Yes this was helpful
No this was not helpful

Thanks for your feedback!

We welcome additional feedback below.

Was this information easy to understand?
Will you take action after reading this?
Did you find the information you were looking for?
Did the design and layout of this page meet your expectations?