CISCO-SA-ASAFTD-PERSIST-CISAED25-03
Vulnerability from csaf_cisco - Published: 2026-04-23 15:00 - Updated: 2026-04-24 13:37Summary
Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
Notes
Summary: On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices ["https://cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices"] related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.
According to the update, the ArcaneDoor threat actor has developed a previously unknown persistence mechanism that is preserved across upgrading to the fixed releases that were published in September 2025. This persistence mechanism resides in the Cisco Firepower eXtensible Operating System (FXOS) Software base operating system for Cisco Secure Firewall ASA Software and Cisco Secure FTD Software installations on the affected hardware platforms.
Note: According to the intelligence Cisco PSIRT has received to date, the initial compromise, begins with the attacker exploiting the following vulnerabilities before customers upgraded to the fixed releases that were made available in September 2025:
CVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB"]
CVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW"]
For more information about the fixed releases that were made available in September 2025, see Cisco Event Response: Continued Attacks Against Cisco Firewalls ["https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks"].
Affected Products: The following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are affected by this issue, regardless of the device configuration:
Firepower 1000 Series
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Series
Secure Firewall 1200 Series
Secure Firewall 3100 Series
Secure Firewall 4200 Series
The following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are not affected by this issue:
ASA 5500-X Series
Secure Firewall 200 Series1
Secure Firewall 6100 Series1
Secure Firewall ASA Virtual
Secure Firewall ISA3000
Secure Firewall Threat Defense Virtual
1. Cisco Secure Firewall 200 and 6100 Series are only supported by Cisco Secure FTD Software releases 10.0.0 and later. The 10.0.0 software releases include the fixes for the vulnerabilities disclosed in September 2025.
Details: For additional details, see the Cisco Talos blog UAT-4356's Targeting of Cisco Firepower Devices ["https://blog.talosintelligence.com/uat-4356-firestarter/"].
Indicators of Compromise: The newly discovered persistent implant is known to start a malicious process called lina_cs. To check for the presence of this process, use the command show kernel process | include lina_cs on the device. If the show kernel process | include lina_cs command returns any output, as shown in the following example, the device is considered compromised:
Cisco Secure Firewall ASA
asa# show kernel process | include lina_cs
68081 29428 20 0 249856 100 1 S 3 0 0 lina_cs
Cisco Secure FTD
> show kernel process | include lina_cs
68081 29428 20 0 249856 100 1 S 3 0 0 lina_cs
Note: The lina_cs process name could change, depending on the specific design of the implant, so the indicators of compromise (IOC) in this section may not conclusively identify the persistent implant.
For information about mitigations, see the Workarounds ["#workarounds"] section of this advisory.
Workarounds: To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device using the fixed releases that are listed in the Fixed Software ["#fs"] section of this advisory. For more information, see the reimaging documentation for the specific product:
Cisco Secure Firewall ASA and Threat Defense Reimage Guide ["https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html"]
Perform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series ["https://www.cisco.com/c/en/us/support/docs/security/firepower-9300-series/220603-perform-a-complete-reimage-for-fxos-in-f.html"]
Reimage a Secure FTD for 1000, 2100, and 3100 Series ["https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html"]
Cisco recommends reimaging and upgrading to a fixed release that is listed in the Fixed Software ["#fs"] section of this advisory.
In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted. Cisco recommends that all configurations – especially local passwords, certificates, and keys – be reconfigured and that all certificates and keys are regenerated.
Alternative Mitigation (not recommended): The following action can mitigate this issue until reimaging can be performed:
A cold restart will remove the malicious persistent implant. The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device.
Important: Disconnecting device power can risk database or disk corruption, and devices might not boot or run as expected. For this reason, Cisco strongly recommends reimaging the device instead if a compromise is suspected.
Fixed Software: In the following tables, the left column lists Cisco software trains. The right column indicates the first fixed release for each software train.
If a device is confirmed compromised, as outlined in the Indicators of Compromise ["#ioc"] section of this advisory, the device should be reimaging and upgraded using one of the following fixed releases.
Secure Firewall ASA Software
Cisco Secure Firewall ASA Software Code Train First Fixed Release 9.16 9.16.4.92 9.18 9.18.4.135 9.20 9.20.4.30 9.22 9.22.3.5 9.23 9.23.1.195 9.24 9.24.1.155
Secure FTD Software
Cisco Secure FTD Software Code Train First Fixed Release 7.0 7.0.9 followed by Hotfix FZ-7.0.9.1-3
Cisco_FTD_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_FZ-7.0.9.1-3.sh.REL.tar 7.2
7.2.11 followed by Hotfix HI-7.2.11.1-1
Cisco_FTD_Hotfix_HI-7.2.11.1-1.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_HI-7.2.11.1-1.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_HI-7.2.11.1-1.sh.REL.tar
Cisco_FTD_SSP_FP3K_Hotfix_HI-7.2.11.1-1.sh.REL.tar
Cisco_FTD_SSP_Hotfix_HI-7.2.11.1-1.sh.REL.tar 7.4 7.4.7 7.6
7.6.4 followed by Hotfix CC-7.6.4.1-1
Cisco_FTD_Hotfix_CC-7.6.4.1-1.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_CC-7.6.4.1-1.sh.REL.tar
Cisco_FTD_SSP_FP3K_Hotfix_CC-7.6.4.1-1.sh.REL.tar
Cisco_FTD_SSP_Hotfix_CC-7.6.4.1-1.sh.REL.tar
Cisco_Secure_FW_TD_4200_Hotfix_CC-7.6.4.1-1.sh.REL.tar 7.7
7.7.11 followed by Hotfix AE-7.7.11.1-4
Cisco_FTD_Hotfix_AE-7.7.11.1-4.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_AE-7.7.11.1-4.sh.REL.tar
Cisco_FTD_SSP_FP3K_Hotfix_AE-7.7.11.1-4.sh.REL.tar
Cisco_FTD_SSP_Hotfix_AE-7.7.11.1-4.sh.REL.tar
Cisco_Secure_FW_TD_4200_Hotfix_AE-7.7.11.1-4.sh.REL.tar 10.0 10.0.0 followed by Hot Fix (Target 4/30/2026)
For details about downloading and installing these hot fixes, see Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes ["https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/about-firepower-hotfixes.html"].
Firepower 4100 and 9300 Security Appliance
Cisco Firepower 4100 and 9300 Security Appliance First Fixed Release 2.10 2.10.1.383 2.12 2.12.1.117 2,14 2.14.3.125 2.16 2.16.2.119 2.17 2.17.0.549 2.18 2.18.0.535
Note: For Cisco Firepower 4100 and 9300 Security Appliances, information about downloading Cisco FXOS code trains is available in Cisco Firepower 4100/9300 FXOS Compatibility ["https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html"].
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Exploitation and Public Announcements: The Cisco PSIRT is aware of active exploitation of this issue.
Source: Cisco would like to thank the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for its collaboration during this investigation.
Legal Disclaimer: SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.
References
Acknowledgments
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for its collaboration during this investigation."
}
],
"category": "csaf_informational_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices [\"https://cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices\"] related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.\r\n\r\nAccording to the update, the ArcaneDoor threat actor has developed a previously unknown persistence mechanism that is preserved across upgrading to the fixed releases that were published in September 2025. This persistence mechanism resides in the Cisco Firepower eXtensible Operating System (FXOS) Software base operating system for Cisco Secure Firewall ASA Software and Cisco Secure FTD Software installations on the affected hardware platforms.\r\n\r\nNote: According to the intelligence Cisco PSIRT has received to date, the initial compromise, begins with the attacker exploiting the following vulnerabilities before customers upgraded to the fixed releases that were made available in September 2025:\r\n\r\nCVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB\"]\r\nCVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW\"]\r\n\r\nFor more information about the fixed releases that were made available in September 2025, see Cisco Event Response: Continued Attacks Against Cisco Firewalls [\"https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks\"].\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "The following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are affected by this issue, regardless of the device configuration:\r\n\r\nFirepower 1000 Series\r\nFirepower 2100 Series\r\nFirepower 4100 Series\r\nFirepower 9300 Series\r\nSecure Firewall 1200 Series\r\nSecure Firewall 3100 Series\r\nSecure Firewall 4200 Series\r\n\r\nThe following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are not affected by this issue:\r\n\r\nASA 5500-X Series\r\nSecure Firewall 200 Series1\r\nSecure Firewall 6100 Series1\r\nSecure Firewall ASA Virtual\r\nSecure Firewall ISA3000\r\nSecure Firewall Threat Defense Virtual\r\n\r\n1. Cisco Secure Firewall 200 and 6100 Series are only supported by Cisco Secure FTD Software releases 10.0.0 and later. The 10.0.0 software releases include the fixes for the vulnerabilities disclosed in September 2025.",
"title": "Affected Products"
},
{
"category": "general",
"text": "For additional details, see the Cisco Talos blog UAT-4356\u0027s Targeting of Cisco Firepower Devices [\"https://blog.talosintelligence.com/uat-4356-firestarter/\"].",
"title": "Details"
},
{
"category": "general",
"text": "The newly discovered persistent implant is known to start a malicious process called lina_cs. To check for the presence of this process, use the command show kernel process | include lina_cs on the device. If the show kernel process | include lina_cs command returns any output, as shown in the following example, the device is considered compromised:\r\n\r\nCisco Secure Firewall ASA\r\n\r\nasa# show kernel process | include lina_cs\r\n68081 29428 20 0 249856 100 1 S 3 0 0 lina_cs\r\nCisco Secure FTD\r\n\r\n \u003e show kernel process | include lina_cs\r\n68081 29428 20 0 249856 100 1 S 3 0 0 lina_cs\r\nNote: The lina_cs process name could change, depending on the specific design of the implant, so the indicators of compromise (IOC) in this section may not conclusively identify the persistent implant.\r\n\r\nFor information about mitigations, see the Workarounds [\"#workarounds\"] section of this advisory.",
"title": "Indicators of Compromise"
},
{
"category": "general",
"text": "To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device using the fixed releases that are listed in the Fixed Software [\"#fs\"] section of this advisory. For more information, see the reimaging documentation for the specific product:\r\n\r\nCisco Secure Firewall ASA and Threat Defense Reimage Guide [\"https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html\"]\r\nPerform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series [\"https://www.cisco.com/c/en/us/support/docs/security/firepower-9300-series/220603-perform-a-complete-reimage-for-fxos-in-f.html\"]\r\nReimage a Secure FTD for 1000, 2100, and 3100 Series [\"https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html\"]\r\n\r\nCisco recommends reimaging and upgrading to a fixed release that is listed in the Fixed Software [\"#fs\"] section of this advisory.\r\n\r\nIn cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted. Cisco recommends that all configurations \u2013 especially local passwords, certificates, and keys \u2013 be reconfigured and that all certificates and keys are regenerated.\r\n\r\nAlternative Mitigation (not recommended): The following action can mitigate this issue until reimaging can be performed:\r\n\r\n\r\nA cold restart will remove the malicious persistent implant. The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device.\r\n\r\nImportant: Disconnecting device power can risk database or disk corruption, and devices might not boot or run as expected. For this reason, Cisco strongly recommends reimaging the device instead if a compromise is suspected.",
"title": "Workarounds"
},
{
"category": "general",
"text": "In the following tables, the left column lists Cisco software trains. The right column indicates the first fixed release for each software train.\r\n\r\nIf a device is confirmed compromised, as outlined in the Indicators of Compromise [\"#ioc\"] section of this advisory, the device should be reimaging and upgraded using one of the following fixed releases.\r\n\r\nSecure Firewall ASA Software\r\n Cisco Secure Firewall ASA Software Code Train First Fixed Release 9.16 9.16.4.92 9.18 9.18.4.135 9.20 9.20.4.30 9.22 9.22.3.5 9.23 9.23.1.195 9.24 9.24.1.155\r\nSecure FTD Software\r\n Cisco Secure FTD Software Code Train First Fixed Release 7.0 7.0.9 followed by Hotfix FZ-7.0.9.1-3\r\n\r\nCisco_FTD_Hotfix_FZ-7.0.9.1-3.sh.REL.tar\r\nCisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar\r\nCisco_FTD_SSP_FP2K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar\r\nCisco_FTD_SSP_Hotfix_FZ-7.0.9.1-3.sh.REL.tar 7.2\r\n7.2.11 followed by Hotfix HI-7.2.11.1-1\r\n\r\nCisco_FTD_Hotfix_HI-7.2.11.1-1.sh.REL.tar\r\nCisco_FTD_SSP_FP1K_Hotfix_HI-7.2.11.1-1.sh.REL.tar\r\nCisco_FTD_SSP_FP2K_Hotfix_HI-7.2.11.1-1.sh.REL.tar\r\nCisco_FTD_SSP_FP3K_Hotfix_HI-7.2.11.1-1.sh.REL.tar\r\nCisco_FTD_SSP_Hotfix_HI-7.2.11.1-1.sh.REL.tar 7.4 7.4.7 7.6\r\n7.6.4 followed by Hotfix CC-7.6.4.1-1\r\n\r\nCisco_FTD_Hotfix_CC-7.6.4.1-1.sh.REL.tar\r\nCisco_FTD_SSP_FP1K_Hotfix_CC-7.6.4.1-1.sh.REL.tar\r\nCisco_FTD_SSP_FP3K_Hotfix_CC-7.6.4.1-1.sh.REL.tar\r\nCisco_FTD_SSP_Hotfix_CC-7.6.4.1-1.sh.REL.tar\r\nCisco_Secure_FW_TD_4200_Hotfix_CC-7.6.4.1-1.sh.REL.tar 7.7\r\n7.7.11 followed by Hotfix AE-7.7.11.1-4\r\n\r\nCisco_FTD_Hotfix_AE-7.7.11.1-4.sh.REL.tar\r\nCisco_FTD_SSP_FP1K_Hotfix_AE-7.7.11.1-4.sh.REL.tar\r\nCisco_FTD_SSP_FP3K_Hotfix_AE-7.7.11.1-4.sh.REL.tar\r\nCisco_FTD_SSP_Hotfix_AE-7.7.11.1-4.sh.REL.tar\r\nCisco_Secure_FW_TD_4200_Hotfix_AE-7.7.11.1-4.sh.REL.tar 10.0 10.0.0 followed by Hot Fix (Target 4/30/2026)\r\nFor details about downloading and installing these hot fixes, see Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/about-firepower-hotfixes.html\"].\r\n\r\nFirepower 4100 and 9300 Security Appliance\r\n Cisco Firepower 4100 and 9300 Security Appliance First Fixed Release 2.10 2.10.1.383 2.12 2.12.1.117 2,14 2.14.3.125 2.16 2.16.2.119 2.17 2.17.0.549 2.18 2.18.0.535\r\nNote: For Cisco Firepower 4100 and 9300 Security Appliances, information about downloading Cisco FXOS code trains is available in Cisco Firepower 4100/9300 FXOS Compatibility [\"https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html\"].\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "The Cisco PSIRT is aware of active exploitation of this issue.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for its collaboration during this investigation.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\nLEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices",
"url": "https://cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices"
},
{
"category": "external",
"summary": "Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB"
},
{
"category": "external",
"summary": "Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW"
},
{
"category": "external",
"summary": "Cisco Event Response: Continued Attacks Against Cisco Firewalls",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks"
},
{
"category": "external",
"summary": "UAT-4356\u0027s Targeting of Cisco Firepower Devices",
"url": "https://blog.talosintelligence.com/uat-4356-firestarter/"
},
{
"category": "external",
"summary": "Cisco Secure Firewall ASA and Threat Defense Reimage Guide",
"url": "https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html"
},
{
"category": "external",
"summary": "Perform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series",
"url": "https://www.cisco.com/c/en/us/support/docs/security/firepower-9300-series/220603-perform-a-complete-reimage-for-fxos-in-f.html"
},
{
"category": "external",
"summary": "Reimage a Secure FTD for 1000, 2100, and 3100 Series",
"url": "https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html"
},
{
"category": "external",
"summary": "Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes",
"url": "https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/about-firepower-hotfixes.html"
},
{
"category": "external",
"summary": "Cisco Firepower 4100/9300 FXOS Compatibility",
"url": "https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html"
},
{
"category": "external",
"summary": "Cisco Support and Downloads",
"url": "https://www.cisco.com/c/en/us/support/index.html"
},
{
"category": "external",
"summary": "Cisco Technical Assistance Center (TAC)",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "the advisories",
"url": "https://www.cisco.com/go/psirt"
}
],
"title": "Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense",
"tracking": {
"current_release_date": "2026-04-24T13:37:01+00:00",
"generator": {
"date": "2026-04-24T13:37:02+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-asaftd-persist-CISAED25-03",
"initial_release_date": "2026-04-23T15:00:00+00:00",
"revision_history": [
{
"date": "2026-04-23T15:08:57+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2026-04-24T13:37:01+00:00",
"number": "1.1.0",
"summary": "Simplified indicators of compromise and added information regarding workarounds."
}
],
"status": "final",
"version": "1.1.0"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…