[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJnc2EtY9xccKJO2ov46cKHez2c_BtlW_KbjgLf3dXbY":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":18,"created_at":19,"published_at":20,"article":21,"tags":24},"a0593ad7-3c1b-408b-b8f8-34246f122fcc","persistent-malware-exploits-cisco-firewall-zero-days-survives-updates","e0dafeee-e9a6-4b1f-b45f-1dee318f2ab8","Persistent Malware Exploits Cisco Firewall Zero-Days, Survives Updates","The Firestarter malware demonstrates sophisticated persistence techniques that allow it to survive security patches and firmware updates by hooking into core system processes and modifying boot files. This attack highlights the critical importance of rapid vulnerability patching, as initial compromise occurred through two specific CVEs before the persistent backdoor was installed. Organizations relying on security appliances must understand that advanced persistent threats can establish footholds that survive standard update procedures, requiring additional detection and remediation capabilities.","**Immediate actions:**\n- Apply emergency patches for CVE-2025-20333 and CVE-2025-20362 on all Cisco Firepower and Secure Firewall devices\n- Conduct thorough integrity checks of boot files and system processes on affected devices\n- Implement additional monitoring for unusual VPN access patterns and credential extraction attempts\n\n**Long-term improvements:**\n- Establish automated vulnerability scanning and emergency patching procedures for critical network infrastructure\n- Deploy network segmentation to limit lateral movement from compromised perimeter devices\n- Implement file integrity monitoring on security appliances to detect unauthorized modifications\n\n**Detection measures:**\n- Monitor for anomalous process behavior and unauthorized hooks into system processes like LINA\n- Establish baseline configurations for security devices and alert on deviations\n- Deploy endpoint detection capabilities that can identify persistent malware surviving updates",[12,13,14,15,16,17],"CIS Control 7 (Malware Defenses)","CIS Control 11 (Data Recovery)","NIST SP 800-53 SI-2 (Flaw Remediation)","NIST SP 800-53 SI-7 (Software Integrity)","NIST CSF ID.AM (Asset Management)","NIST CSF DE.CM (Security Continuous Monitoring)","published","2026-04-25T05:09:42.382793+00:00","2026-04-25T05:09:42.297+00:00",{"id":7,"url":22,"title":23},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffirestarter-malware-survives-cisco-firewall-updates-security-patches\u002F","Firestarter malware survives Cisco firewall updates, security patches",[25,31],{"id":26,"name":27,"slug":28,"description":29,"color":30},"05757c8d-6b93-4194-b35d-7359e7d33b0e","Vulnerability Management","vulnerability-management","Missing scans, no risk prioritization","#fb923c",{"id":32,"name":33,"slug":34,"description":35,"color":36},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308"]