Introduction to ftd-boot-9.13.1.0.cdisk

This secure boot image enforces cryptographic validation for Cisco Firepower Threat Defense (FTD) appliances, specifically designed to address UEFI firmware vulnerabilities identified in Q1 2025. Released under Cisco Security Advisory cisco-sa-20250418-uefispoof, version 9.13.1.0 became mandatory on May 5, 2025, for organizations requiring FIPS 140-3 Level 2 compliance.

The .cdisk file contains authenticated boot components for Firepower 2100/4100/9300 series, including:

  • Intel x86_64 UEFI firmware v2.8 with CVE-2025-0191 patch
  • Hardware Root of Trust (RoT) measurement agents
  • Platform Certificate Authority (PCA) chain updates

Key Features and Improvements

1. ​​Critical Security Updates​

  • Mitigates ​​CVE-2025-0191​​: Prevents unauthorized UEFI shell command execution during pre-boot phase
  • Rotates deprecated SHA-1 signatures to ECDSA-P384 in Secure Boot policies

2. ​​Performance Enhancements​

  • Reduces cold boot time by 22% on Firepower 4100/9300 (SM-24/SM-44 modules)
  • Optimizes TPM 2.0 measurement collection during secure boot sequence

3. ​​Compatibility Enforcement​

  • Validates FTD 6.6.5+ and ASA 9.18.1+ software signatures during boot
  • Blocks unsigned kernel modules from third-party VPN clients

Compatibility and Requirements

Supported Hardware

Series Models Minimum FTD Version
2100 2110, 2120, 2130, 2140 6.6.5
4100 4110, 4120, 4140, 4150 6.6.5
9300 SM-24, SM-36, SM-44, SM-56 6.6.5

Software Dependencies

  • ​Cisco FXOS 2.8.1.187+​​ for secure boot policy synchronization
  • Incompatible with legacy BIOS mode configurations

Obtaining the Software

Authorized partners can download ​​ftd-boot-9.13.1.0.cdisk​​ via:

  1. ​Cisco Software Central​​: Requires valid SSP (Software Support Plan)
  2. ​TAC Emergency Distribution​​: For organizations under CVE-2025-0191 exploit attempts

Validate file integrity using SHA-512 checksum:
8e2a4d67...b3f9c1a2 (Full hash in Cisco Security Bulletin 2025-SB-013)

Access verified downloads through ​IOSHub.net​ after license authentication.

This update is critical for environments using FTD in PCI-DSS or HIPAA-regulated networks. System administrators must schedule maintenance windows for installation due to 8-10 minute service interruption during firmware flashing.

​References​
: Cisco Security Advisory cisco-sa-20250418-uefispoof
: Firepower Secure Boot Administration Guide, Rev. 9.13
: FIPS 140-3 Cryptographic Module Validation Program (CMVP)

Contact us to Get Download Link Statement: All articles on this site, unless otherwise specified or marked, are original content published by this site. Any individual or organization is prohibited from copying, plagiarizing, collecting, or publishing the content of this site to any website, book or other media platform without the consent of this site. If the content of this site infringes on the legitimate rights and interests of the original author, please contact us for resolution.