US and UK Agencies Reveal Persistent Firestarter Malware on Cisco Firewalls Despite Patches

What happened

In a coordinated alert issued in April 2026, US and UK cybersecurity agencies disclosed that a persistent malware campaign, named Firestarter, had compromised Cisco firewall devices across critical government and private sector networks. The malware was discovered on a federal agency’s network and has been active since at least September 2025. Remarkably, Firestarter continued to operate undetected even after Cisco released patches addressing the initial vulnerabilities exploited by the attackers.

The campaign leveraged sophisticated techniques to maintain persistence on the firewalls, effectively hiding within the network infrastructure and evading traditional detection methods. This allowed threat actors to maintain long-term access, potentially enabling espionage, data exfiltration, or further network compromise.

Confirmed facts

• Firestarter malware was found embedded in Cisco firewall devices, specifically targeting Cisco ASA and Firepower models.
• The infection timeline dates back to at least September 2025, with ongoing activity into early 2026.
• Attackers exploited known vulnerabilities that Cisco patched months prior, but Firestarter’s design allowed it to survive patching and firmware updates.
• The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) jointly issued warnings and technical guidance.
• The malware enables attackers to execute remote commands, manipulate firewall configurations, and potentially pivot to internal networks.
• Investigations revealed that the attackers used stealthy techniques, including rootkit-like functionality, to avoid detection.

Who is affected

• US federal agencies and departments operating Cisco firewall infrastructure have confirmed infections.
• UK government networks have reported similar compromises.
• Private sector organizations using Cisco ASA and Firepower firewalls are at risk, particularly those who applied patches but did not perform comprehensive threat hunting or forensic analysis.
• Network administrators and security teams relying solely on patching without additional incident response measures may have missed persistent infections.

What to do now

1. Immediate Incident Response: Organizations should conduct thorough forensic examinations of all Cisco firewall devices, focusing on unusual configurations, unauthorized remote access, and anomalous network traffic.
2. Apply Latest Patches and Firmware Updates: Ensure all Cisco devices are updated with the latest security patches and firmware versions released after the Firestarter discovery.
3. Deploy Enhanced Monitoring: Implement advanced network monitoring tools capable of detecting rootkit-like behavior and unauthorized command executions on firewalls.
4. Engage Cybersecurity Experts: Consider third-party threat hunting services specializing in persistent malware detection and remediation.
5. Review Access Controls: Audit and tighten firewall administrative access, enforcing multi-factor authentication (MFA) and least-privilege principles.
6. Inform Stakeholders: Notify relevant internal and external stakeholders, including regulatory bodies if sensitive data or critical infrastructure is involved.

How to secure yourself

• For Network Administrators: Beyond patching, perform regular integrity checks of firewall firmware and configurations. Utilize Cisco’s security advisories and tools designed to detect Firestarter indicators of compromise.
• Implement Zero Trust Principles: Limit lateral movement by segmenting networks and enforcing strict access controls.
• Regularly Update Incident Response Plans: Incorporate lessons learned from Firestarter to prepare for stealthy, persistent threats.
• Employee Training: Educate IT staff on recognizing signs of advanced persistent threats (APTs) and the importance of layered security.
• Backup Configurations: Maintain secure, offline backups of firewall configurations to facilitate rapid restoration if compromise is detected.

2026 update

Since the initial discovery in early 2026, Cisco has released multiple firmware updates addressing the Firestarter vulnerabilities and improving detection capabilities. CISA and NCSC have expanded their guidance, recommending continuous threat hunting and the adoption of behavioral analytics tools.

Notably, several private sector organizations have reported successful eradication of Firestarter infections after comprehensive remediation efforts. However, the incident has underscored the limitations of patching alone as a defense strategy, prompting a shift towards proactive detection and response frameworks.

FAQ

What is Firestarter malware?

Firestarter is a sophisticated malware strain targeting Cisco ASA and Firepower firewalls, designed to persist on devices even after patches are applied, enabling attackers to maintain covert access.

How did Firestarter evade detection after patches?

Firestarter uses rootkit-like techniques to embed itself deeply within firewall firmware, allowing it to survive updates and avoid triggering traditional security alerts.

Am I affected if I have patched my Cisco firewall?

Patching is critical but not sufficient alone. If you only applied patches without conducting thorough forensic analysis or threat hunting, your devices could still be compromised.

What immediate steps should organizations take?

Conduct detailed forensic investigations, apply all latest patches, enhance monitoring, restrict access, and engage cybersecurity experts for remediation.

Can Firestarter lead to data breaches?

Yes, persistent access to firewalls can allow attackers to manipulate traffic, exfiltrate sensitive data, or move laterally into internal networks.

Has Cisco provided tools to detect Firestarter?

Cisco has released detection tools and updated firmware to help identify and remove Firestarter, alongside detailed advisories.

How can I prevent similar attacks in the future?

Adopt a layered security approach including zero trust, continuous monitoring, regular incident response drills, and employee training.

Is Firestarter linked to any known threat actor?

While specific attribution remains confidential, the sophistication suggests a state-sponsored or highly organized threat actor.

What industries are most at risk?

Government agencies, critical infrastructure, and private organizations relying heavily on Cisco firewall technology are most vulnerable.

Should individuals be concerned about Firestarter?

Firestarter targets enterprise-grade firewall devices, so individual users are unlikely to be directly affected but should remain vigilant about network security.

Why this matters

The Firestarter incident exemplifies the evolving threat landscape where attackers exploit not only software vulnerabilities but also the limitations of traditional patch management. Persistent malware on critical network infrastructure like firewalls can silently undermine organizational security, enabling espionage, data theft, and operational disruption.

This campaign highlights the necessity of comprehensive cybersecurity strategies that combine timely patching with proactive detection, incident response, and continuous monitoring. For organizations managing sensitive data or critical services, understanding and mitigating such threats is essential to maintaining trust and operational resilience.

Sources and corroboration

This article synthesizes information from multiple corroborating sources, including official alerts from the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), and investigative reporting by CyberScoop. The primary technical details and timeline are drawn from the April 23, 2026 CyberScoop report titled "US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied" (https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/).

Additional insights come from Cisco’s security advisories and public statements regarding firmware updates and detection tools related to the Firestarter malware campaign.