FIRESTARTER Backdoor Exploiting Cisco ASA and FTD Zero-Days (AL01/250926)
Summary
CSIRT-ITA has published Alert AL01/250926 reporting active exploitation of two zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) products, as part of a campaign attributed to the ArcaneDoor threat actor. CVE-2025-20333 carries a CVSS v3.1 score of 9.9 (critical) and enables arbitrary code execution with elevated privileges via crafted HTTP(S) requests, while CVE-2025-20362 (CVSS 6.5) allows unauthorized access to restricted URLs without authentication. The threat actor has modified device ROM to achieve persistence across reboots and firmware updates. Affected organizations must apply the latest patches by 26 September 2025 and reimage appliances if compromise is detected, as patching alone may not remove an existing backdoor.
Organizations with Cisco ASA or FTD deployments should treat this as an active breach scenario rather than a standard patching exercise. The April 2026 update explicitly states that vendor-provided patches may not remove an already-installed backdoor — devices showing signs of compromise must be reimaged. Asset inventories should cross-reference the support dates and version numbers in this alert to identify EOL hardware requiring immediate disconnection or accelerated replacement planning.
About this source
GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 8 changes logged to date.
What changed
The alert documents the addition of two actively exploited Cisco zero-day vulnerabilities to CSIRT-ITA's tracking system. CVE-2025-20333 (CVSS 9.9) allows authenticated remote code execution via malformed HTTP(S) requests on ASA and FTD devices, while CVE-2025-20362 (CVSS 6.5) permits unauthorized URL access without authentication. Both vulnerabilities are being exploited by the ArcaneDoor group as part of a large-scale campaign dating to early 2024, with the threat actor establishing persistence by modifying device ROM. The alert supersedes prior Cisco security notifications and adds guidance that patching alone may be insufficient to remove an existing backdoor.\n\nOrganizations running Cisco ASA, FTD, IOS, IOS XE, or IOS XR software should immediately identify affected versions per vendor bulletins and apply patches by the specified deadlines. For ASA hardware with ended support (before 30 September 2025), devices must be disconnected or, if operationally critical, patched and scheduled for decommissioning. If indicators of compromise are present, full reimaging of the appliance is required — patching will not eradicate the FIRESTARTER backdoor once resident in ROM.
What to do next
- Apply latest patches following vendor security bulletins
- Apply latest updates by 26 September 2025 for ASA hardware with end-of-support on 31 August 2026
- Reimage the appliance if evidence of compromise is found, as patching alone may not remove an existing backdoor
Mentioned entities
Related changes
Get daily alerts for Italy CSIRT Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when Italy CSIRT Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.