Infected Cisco firewalls need cold start to clear persistent Firestarter backdoor

A recently discovered backdoor, known as Firestarter, can persist on Cisco firewalls even after vulnerabilities are patched, allowing attackers to maintain access without re-exploiting the initial holes. Devices running Cisco ASA or Firepower software, including certain Firepower and Secure Firewall devices, are at risk. The backdoor exploits unpatched vulnerabilities to gain persistence, and a cold start is required to clear the malware from infected devices. The US Cybersecurity and Infrastructure Security Agency has confirmed a successful implant of Firestarter in the wild on a device. This persistence mechanism enables attackers to continue accessing compromised devices, posing a significant security risk¹. The discovery of Firestarter highlights the importance of proactive security measures, including regular system restarts and thorough vulnerability assessments, to prevent and detect such sophisticated threats, making it crucial for practitioners to take immediate action to protect their networks.