CISA Alert: FIRESTARTER Rootkit Survives Patching on Cisco Firepower

Hey everyone, just caught the CISA release regarding the FIRESTARTER malware targeting a federal agency's Cisco Firepower setup. It’s concerning that the compromise dates back to September 2025, but what really stands out is the persistence mechanism. The assessment indicates this backdoor can survive standard security patches and upgrades.

It appears the threat actors are leveraging the underlying Linux environment (FXOS) rather than just the ASA logic itself. This suggests the implant is hooking into the boot process or residing in a persistent data partition that survives the ASA image re-deployment.

If you are managing these devices, I recommend checking for anomalous processes or hidden files on the management plane. Here is a quick snippet to help audit running processes that aren't signed or standard:

# Check for processes with no linked package or unusual paths
for pid in $(ps -eo pid | tail -n +2); do
    cmd=$(readlink /proc/$pid/exe 2>/dev/null)
    if [[ "$cmd" != *"/usr/local"* && "$cmd" != *"/bin"* && "$cmd" != *"/sbin"* && -n "$cmd" ]]; then
        echo "PID: $pid | CMD: $cmd"
    fi
done

Has anyone else encountered similar persistence mechanisms on edge appliances? Are we looking at a full factory reset requirement to trust these boxes again?