AA26-113A
Joint CISA-NCSC advisory disclosing FIRESTARTER implant and recommending hard power-cycle eviction of Cisco devices.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Does AA26-113A's patched-but-still-infected finding change what patch compliance means?
Timeline for AA26-113A
FIRESTARTER implant survives every Cisco firewall patch
Cybersecurity: Threats and DefencesMentioned in: CISA gives Cisco SD-WAN three days to patch
Cybersecurity: Threats and Defences- What does CISA advisory AA26-113A tell me to do with my Cisco firewall?
- AA26-113A requires operators to treat all Cisco ASA and Firepower devices that were online during the September 2025 patch window as potentially compromised. Remediation is a hard power cycle (physical plug-pull and cold start), not a software patch. CISA also advises capturing pre-shutdown memory snapshots for forensic comparison.Source: CISA AR26-113A
- Why did CISA and NCSC issue a joint advisory on FIRESTARTER?
- CISA and NCSC co-authored AA26-113A because FIRESTARTER was deployed by a government-backed actor and poses a threat to both US federal agencies and UK critical infrastructure operators. NCSC's co-signature brings the advisory within the UK's enforceable cybersecurity guidance baseline.Source: CISA/NCSC advisory AA26-113A
- How is advisory AA26-113A different from the 2024 ArcaneDoor advisory?
- The ArcaneDoor advisory disclosed volatile-memory Cisco implants that a standard reboot could clear. AA26-113A discloses boot-sequence-persistent implants that survive all reboots and patches, and for the first time confirms a federal agency remained compromised for six months post-patch — a higher standard of technical disclosure.Source: CISA/NCSC advisory AA26-113A
Background
AA26-113A is the joint advisory published by CISA and the UK National Cyber Security Centre on 24 April 2026 disclosing the FIRESTARTER persistent implant on Cisco ASA and Firepower Threat Defense appliances deployed by the government-backed actor UAT-4356. The advisory is the first co-publication by CISA and NCSC naming specific IOCs for a boot-sequence-persistent Cisco edge-device implant — a step beyond the 2024 ArcaneDoor disclosures, which did not reveal comparable technical depth.
The advisory documents the full kill chain: initial access via CVE-2025-20333 (CVSS 9.9) chained with CVE-2025-20362; persistence through boot-sequence hooks that survive all patches and firmware updates; activation via magic-packet WebVPN primitives; and companion implant Line Viper establishing VPN sessions. Remediation guidance states that only a hard power cycle evicts FIRESTARTER. The advisory also confirms that one unnamed US federal agency applied the September 2025 patches and remained compromised until March 2026 — a six-month dwell that demonstrates patch SLA compliance does not confirm device cleanliness. IOCs include the malicious process lina_cs and associated files.
AA26-113A sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains even where the vendor (Cisco) declines formal nation-state attribution. For UK organisations under the Cyber Security and Resilience Bill baseline, the advisory's remediation guidance now sits within the enforceable NCSC guidance baseline that the ICO treats as the relevant technical standard for GDPR purposes.
AA26-113A is a joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) on 24 April 2026. It discloses the FIRESTARTER persistent implant found on Cisco ASA and Firepower Threat Defense appliances and attributes the campaign to the government-backed threat actor UAT-4356. The advisory is classified as legislation/regulatory guidance in its effect on US federal agencies and UK CNI operators, though it is technically a government advisory document rather than statute.