How does the FIRESTARTER implant survive Cisco firewall patches?: FIRESTARTER embeds itself in the Cisco ASA and Firepower boot sequence via startup-configuration manipulation, self-backing-up before any shutdown. Ordinary patch or firmware updates do not touch the boot record where FIRESTARTER lives. The only confirmed removal method is a hard power cycle (physical plug-pull), which clears volatile memory structures the implant relies on.Source: CISA/NCSC AA26-113A
Which Cisco products are affected by the April 2026 CISA emergency deadline?: Three vulnerabilities in Cisco Catalyst SD-WAN Manager were added to the CISA Known Exploited Vulnerabilities catalogue on 20 April 2026 with a three-day remediation deadline: CVE-2026-20122 (API privilege escalation), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (password storage weakness).Source: CISA KEV catalogue
What is Cisco Talos and what role did it play in the FIRESTARTER discovery?: Cisco Talos is Cisco's in-house threat-intelligence research team, one of the largest commercial threat-Intel operations globally. Talos tracked the UAT-4356 threat actor and contributed attribution analysis to the FIRESTARTER joint advisory, having previously investigated the same actor's 2024 ArcaneDoor campaign against Cisco network devices.Source: Cisco Talos / CISA AA26-113A
Is Cisco being held responsible for the FIRESTARTER backdoor vulnerabilities?: Cisco patched the two initial-access vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in September 2025 and co-operated with CISA and NCSC on the disclosure. The company is positioned as a victim and responder rather than liable party, though critics note the CVSS 9.9 severity and six-month post-patch persistence raise questions about detection tooling provided to customers.Source: CISA/NCSC AA26-113A

Background

Cisco Systems is the world's dominant enterprise networking vendor, founded in 1984 in San Jose, California, and listed on the Nasdaq as CSCO. With $56.65 billion in revenue for fiscal 2025 and around 86,200 employees, the company designs and manufactures hardware, software, and services across four principal areas: networking (Catalyst switches, Nexus data-centre platforms, routers), security (ASA firewalls, Firepower Threat Defense, OpenDNS), collaboration (Webex), and observability (AppDynamics). Its in-house threat-intelligence Arm, Cisco Talos, is one of the largest commercial threat-research teams in the industry, tracking advanced persistent threat actors and disclosing vulnerabilities across vendor ecosystems.

Cisco's products form the backbone of enterprise and government networks worldwide, making the company both a critical infrastructure dependency and a high-value target. The firm regularly co-operates with US and allied governments on vulnerability disclosure and Incident Response.

Cisco is simultaneously victim and responder in the April 2026 FIRESTARTER disclosures. Its ASA and Firepower Threat Defense (FTD) appliances — standard-issue perimeter security devices in government, telco, and critical infrastructure — were compromised by the government-backed actor UAT-4356, which exploited CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 to plant the FIRESTARTER boot-sequence implant. Cisco patched both CVEs in September 2025, yet one confirmed federal agency remained compromised until at least March 2026, six months post-patch.

Concurrently, CISA added three vulnerabilities in Cisco's Catalyst SD-WAN Manager platform to the Known Exploited Vulnerabilities catalogue on 20 April 2026 with an emergency three-day remediation deadline, a separate attack surface from a different adversary profile. Cisco acknowledged UAT-4356 as a government-backed group but declined to make formal nation-state attribution.

Source Material

AR26-113A: FIRESTARTER Cisco Firepower Backdoor Cisco — Wikipedia

How the World Sees Them

CISA

CISA issued AA26-113A jointly with NCSC and separately added three Catalyst SD-WAN Manager CVEs to the KEV with a three-day deadline, treating Cisco's attack surface as an active national-security emergency in April 2026.

NCSC

NCSC co-signed advisory AA26-113A, signalling Cisco devices are priority targets for state-linked actors in UK government and critical-national-infrastructure networks. The advisory urges hard power-cycle eviction even on fully patched appliances.

Cisco

Cisco co-operated fully with CISA and NCSC on the FIRESTARTER disclosure, issued patches for both CVE-2025-20333 and CVE-2025-20362 in September 2025, and characterised UAT-4356 as government-backed while declining formal nation-state attribution.

Enterprise customers

Cisco customers face a double burden: forensically checking patched ASA/FTD appliances for FIRESTARTER infection and racing a three-day KEV deadline on SD-WAN Manager, two separate remediation sprints on the same vendor stack.