Two critical vulnerabilities in Cisco ASA and Firepower Threat Defense were exploited by a China-linked nation-state actor (UAT4356 / Storm-1849) to deploy the FIRESTARTER firmware-resident backdoor against at least one U.S. federal civilian agency beginning September 2025. The implant survives software patching, firmware updates, and remote reboots, requiring physical power cycle and full device reimage to remediate confirmed or suspected compromises. Any ASA or FTD device with an internet-exposed management interface that was not patched prior to September 2025 must be treated as potentially compromised.