Skip to content
.ca
sign in
4 mincritical

Cyber Centre Daily Advisory Digest — 2026-05-11 (5 advisories)

The Canadian Centre for Cyber Security released a daily digest highlighting critical vulnerabilities across Cisco, IBM, Dell, Ubuntu, and various ICS platforms. Notably, Cisco ASA and FTD devices are affected by a newly identified persistence mechanism known as the FIRESTARTER backdoor, which survives previous patches for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363.

Sens:ImmediateConf:highAnalyzed:2026-05-11Google

Authors: Canadian Centre for Cyber Security

ActorsFIRESTARTER Backdoor
Vulnerability DigestICSCisco ASACVE-2025-20333FIRESTARTER Backdoor

Source:Canadian Centre for Cyber Security

IOCs · 4

Detection / HunterGoogle

What Happened

The Canadian Centre for Cyber Security published a digest of recent security alerts affecting several major technology vendors. Organizations using Cisco, IBM, Dell, Ubuntu, and certain industrial control systems are impacted by software flaws that could allow attackers to take control of devices. This is particularly critical for Cisco firewall devices, where attackers have been found using a hidden backdoor called FIRESTARTER that remains even after applying older security updates. System administrators should immediately review the advisories and apply the latest patches or reimaging procedures to secure their networks.

Key Takeaways

  • Cisco ASA and FTD devices are being actively targeted, with a newly discovered persistence mechanism (FIRESTARTER backdoor) that survives previous patches.
  • Critical vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) allow RCE and unauthorized access via improper HTTP(S) input validation on Cisco devices.
  • IBM, Dell, Ubuntu, and CISA (ICS) released multiple critical security updates between May 4 and 10, 2026, affecting a wide range of enterprise and industrial products.

Affected Systems

  • Cisco ASA 5500-X Series
  • Cisco Secure Firewall ASA Software
  • Cisco Secure Firewall Threat Defense (FTD)
  • Cisco Firepower eXtensible Operating System (FXOS)
  • IBM multiple products (Aspera, Cloud Pak, App Connect, MQ, Maximo, etc.)
  • Dell PowerScale, ECS, ObjectScale
  • Ubuntu Linux kernel (20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10)
  • ABB, Hitachi Energy, Johnson Controls, and MAXHUB ICS products

Vulnerabilities (CVEs)

  • CVE-2025-20333
  • CVE-2025-20362
  • CVE-2025-20363

Attack Chain

Threat actors target Cisco ASA and FTD devices with VPN web services enabled by exploiting improper validation of user-supplied input in HTTP(S) requests (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363). Upon successful exploitation, attackers can execute arbitrary code or access restricted URL endpoints. To maintain access, attackers deploy the FIRESTARTER backdoor, a persistence mechanism embedded in the Cisco FXOS base operating system that survives standard firmware upgrades.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The advisory does not provide specific detection rules, but recommends checking for the presence of the 'firmware-update.log' file on 'disk0:' for Cisco ASA devices.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot typically be installed on Cisco ASA/FTD hardware appliances or their underlying FXOS. Network Visibility: Medium — Exploitation occurs via HTTP(S) requests to VPN web services, which may be visible if TLS inspection or specific WAF rules are in place, though payload specifics are not detailed. Detection Difficulty: Hard — The FIRESTARTER backdoor resides in the base FXOS operating system and survives standard patching, making it difficult to detect without specialized forensic analysis or reimaging.

Required Log Sources

  • Firewall logs
  • Web server access logs
  • System logs (syslog)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for unexpected creation or modification of the firmware-update.log file on the disk0: partition of Cisco ASA devices.File system logs / Device management logsPersistenceMedium

Control Gaps

  • Standard firmware upgrades do not remove the FIRESTARTER persistence mechanism.

Key Behavioral Indicators

  • Presence of firmware-update.log on disk0: after upgrade

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify if indicators of compromise are present on Cisco devices.
  • Apply identified workarounds, including reimaging the Cisco device to a known fixed version to remove the FIRESTARTER backdoor.
  • Upgrade Cisco ASA and FTD products to the latest fixed release software versions.
  • Apply security updates for IBM, Dell, Ubuntu, and ICS products listed in the digest.

Infrastructure Hardening

  • Review and implement the Cyber Centre’s Top 10 IT Security Actions.
  • Ensure VPN web services are restricted or monitored for anomalous HTTP(S) requests.

User Protection

  • N/A

Security Awareness

  • Notify the Cyber Centre if the firmware-update.log file is found after upgrading Cisco devices.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1542.001 - System Firmware

Additional IOCs

  • File Paths:
    • disk0:/firmware-update.log - Log file to preserve if found after upgrading ASA 5500-X series

Related