Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
Summary
On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.
CISA Known Exploited Vulnerability
- Listed:
- Sep 25, 2025 · federal remediation due Sep 26, 2025
- Required action:
- The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- Ransomware use:
- Unknown
KEV is a prioritization signal from CISA — remediation detail still comes from the vendor advisory.
- Release 9.16 (first fixed: 9.16.4.92)
- Release 9.18 (first fixed: 9.18.4.135)
- Release 9.20 (first fixed: 9.20.4.30)
- Release 9.22 (first fixed: 9.22.3.5)
- Release 9.23 (first fixed: 9.23.1.321)
- Release 9.24 (first fixed: 9.24.1.111)
- Release 7.0 (first fixed: 7.0.9 followed by Hotfix FZ-7.0.9.1-3)
- Release Cisco_FTD_Hotfix_FZ-7.0.9.1-3.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar)
- Release Cisco_FTD_SSP_FP2K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar (first fixed: Cisco_FTD_SSP_Hotfix_FZ-7.0.9.1-3.sh.REL.tar)
- Release 7.2 (first fixed: 7.2.11 followed by Hotfix HI-7.2.11.1-1)
- Release Cisco_FTD_Hotfix_HI-7.2.11.1-1.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP1K_Hotfix_HI-7.2.11.1-1.sh.REL.tar)
- Release Cisco_FTD_SSP_FP2K_Hotfix_HI-7.2.11.1-1.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP3K_Hotfix_HI-7.2.11.1-1.sh.REL.tar)
- Release Cisco_FTD_SSP_Hotfix_HI-7.2.11.1-1.sh.REL.tar (first fixed: 7.4)
- Release 7.4.7 (first fixed: 7.6)
- Release 7.6.4 followed by Hotfix CC-7.6.4.1-1 (first fixed: Cisco_FTD_Hotfix_CC-7.6.4.1-1.sh.REL.tar)
- Release Cisco_FTD_SSP_FP1K_Hotfix_CC-7.6.4.1-1.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP3K_Hotfix_CC-7.6.4.1-1.sh.REL.tar)
- Release Cisco_FTD_SSP_Hotfix_CC-7.6.4.1-1.sh.REL.tar (first fixed: Cisco_Secure_FW_TD_4200_Hotfix_CC-7.6.4.1-1.sh.REL.tar)
- Release 7.7 (first fixed: 7.7.11 followed by Hotfix AE-7.7.11.1-4)
- Release Cisco_FTD_Hotfix_AE-7.7.11.1-4.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP1K_Hotfix_AE-7.7.11.1-4.sh.REL.tar)
- Release Cisco_FTD_SSP_FP3K_Hotfix_AE-7.7.11.1-4.sh.REL.tar (first fixed: Cisco_FTD_SSP_Hotfix_AE-7.7.11.1-4.sh.REL.tar)
- Release Cisco_Secure_FW_TD_4200_Hotfix_AE-7.7.11.1-4.sh.REL.tar (first fixed: 10.0)
- Release 10.0.0 followed by Hotfix I-10.0.0.1-4 (first fixed: Cisco_FTD_Hotfix_I-10.0.0.1-4.sh.REL.tar)
- Release Cisco_FTD_SSP_FP1K_Hotfix_I-10.0.0.1-4.sh.REL.tar (first fixed: Cisco_FTD_SSP_FP3K_Hotfix_I-10.0.0.1-4.sh.REL.tar)
- Release Cisco_FTD_SSP_Hotfix_I-10.0.0.1-4.sh.REL.tar (first fixed: Cisco_Secure_FW_TD_4200_Hotfix_I-10.0.0.1-4.sh.REL.tar)
Official advisory · medium-confidence parse· fetched 1 day ago·verify at source
- 9.16.4.92
- 9.18.4.135
- 9.20.4.30
- 9.22.3.5
- 9.23.1.321
- 9.24.1.111
- 7.0.9 followed by Hotfix FZ-7.0.9.1-3
- Cisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
- Cisco_FTD_SSP_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
- 7.2.11 followed by Hotfix HI-7.2.11.1-1
- Cisco_FTD_SSP_FP1K_Hotfix_HI-7.2.11.1-1.sh.REL.tar
- Cisco_FTD_SSP_FP3K_Hotfix_HI-7.2.11.1-1.sh.REL.tar
- 7.4
- 7.6
- Cisco_FTD_Hotfix_CC-7.6.4.1-1.sh.REL.tar
- Cisco_FTD_SSP_FP3K_Hotfix_CC-7.6.4.1-1.sh.REL.tar
- Cisco_Secure_FW_TD_4200_Hotfix_CC-7.6.4.1-1.sh.REL.tar
- 7.7.11 followed by Hotfix AE-7.7.11.1-4
- Cisco_FTD_SSP_FP1K_Hotfix_AE-7.7.11.1-4.sh.REL.tar
- Cisco_FTD_SSP_Hotfix_AE-7.7.11.1-4.sh.REL.tar
- 10.0
- Cisco_FTD_Hotfix_I-10.0.0.1-4.sh.REL.tar
- Cisco_FTD_SSP_FP3K_Hotfix_I-10.0.0.1-4.sh.REL.tar
- Cisco_Secure_FW_TD_4200_Hotfix_I-10.0.0.1-4.sh.REL.tar
Official advisory · medium-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Release 9.16: upgrade to 9.16.4.92.
- Release 9.18: upgrade to 9.18.4.135.
- Release 9.20: upgrade to 9.20.4.30.
- Release 9.22: upgrade to 9.22.3.5.
- Release 9.23: upgrade to 9.23.1.321.
- Release 9.24: upgrade to 9.24.1.111.
- Release 7.0: upgrade to 7.0.9 followed by Hotfix FZ-7.0.9.1-3.
- Release Cisco_FTD_Hotfix_FZ-7.0.9.1-3.sh.REL.tar: upgrade to Cisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar.
- To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device using the fixed releases that are listed in the Fixed Software section of this advisory. For more information, see the reimaging documentation for the specific product:
- Cisco Secure Firewall ASA and Threat Defense Reimage Guide
- Perform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series
- Reimage a Secure FTD for 1000, 2100, and 3100 Series
- Cisco recommends reimaging and upgrading to a fixed release that is listed in the Fixed Software section of this advisory.
- In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted. Cisco recommends that all configurations ��� especially local passwords, certificates, and keys ��� be reconfigured and that all certificates and keys are regenerated.
- Alternative Mitigation (not recommended): The following action can mitigate this issue until reimaging can be performed:
- A cold restart will remove the malicious persistent implant. The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device.
- Important: Disconnecting device power can risk database or disk corruption, and devices might not boot or run as expected. For this reason, Cisco strongly recommends reimaging the device instead if a compromise is suspected.
Official advisory · medium-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.