News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. FIRESTARTER Malware affecting Cisco ASA and FTD

FIRESTARTER Malware affecting Cisco ASA and FTD

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

3:00PM, 24 April 2026

TLP Rating: Clear

FIRESTARTER Malware affecting Cisco ASA and FTD

The NCSC would like to draw your attention to FIRESTARTER, malware that allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products with Adaptive Security Appliance (ASA) or Firewall Threat Defence (FTD) software. 

The following vulnerabilities have been associated with the method by which an advanced persistent threat actor gained initial access to deploy FIRESTARTER on Firepower and Secure Firewall devices: 

  • CVE-2025-20333 (CVSS 9.9): A vulnerability in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.  
  • CVE-2025-20362 (CVSS 6.5): A vulnerability in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.

Note: If a Cisco device was running vulnerable software prior to applying the patch for CVE-2025-20333 and CVE-2025-20362, there is a possibility FIRESTARTER malware is present.

What's happening

Systems affected

The following software versions are affected by this issue, regardless of device configuration:  

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Series
  • Secure Firewall 1200 Series
  • Secure Firewall 3100 Series
  • Secure Firewall 4200 Series 

What to look for

How to tell if you're at risk

If a Cisco device was using a vulnerable software prior to the release of the versions updated to address CVE-2025-20333 and CVE-2025-20362.

How to tell if you're affected

Refer to Cisco’s advisory for instructions on finding indicators of compromise.

What to do

Prevention

Refer to Cisco’s advisory for remediation.

More information

Read more about this alert on the vendor website:

Cisco Security Advisory External Link

If you require more information or further support, submit a report on our website:

Report an incident