The Cybersecurity and Infrastructure Security Agency (CISA) instructed federal government agencies today to take further actions to identify FIRESTARTER malware that may be present in their systems and to take mitigation actions.

The malware, CISA said in an alert published on April 23, “allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.”

Today’s alert follows CISA’s emergency directive issued in September 2025 that ordered agencies to take immediate action to patch vulnerabilities in the Cisco ASA platform.

“Threat actors continue to target these devices and products, posing significant risks to all organizations,” CISA said today.

“During proactive monitoring of Cisco ASA devices used by FCEB [Federal Civilian Executive Branch] agencies, CISA detected FIRESTARTER malware that enabled post-patching persistence,” the agency said.

“CISA analysis determined that firmware patching actions on compromised devices did not necessarily remove an existing threat actor,” the agency said.

CISA said its updates to Emergency Directive 25-03 issued last year include “identifying specified Firepower and Secure Firewall devices, collecting forensic data, and applying new vendor-provided updates.”

As agencies implement the new requirements, CISA said it will monitor their compliance and provide technical assistance and resources as needed.

“FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software,” emphasized CISA acting Director Nick Andersen today. “CISA encourages organizations using these devices or software to review the FIRESTARTER report, assess devices for compromise, implement mitigations, and report any findings to CISA.”

Read More About
Civilian Agencies
Homeland Security
CISA
Recent
More Topics

Categories

About
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.
Tags