FIRESTARTER Backdoor Hits Federal Cisco Firepower Device, Survives Security Patches
CISA and NCSC disclosed that an unnamed federal agency's Cisco Firepower device was compromised with the FIRESTARTER backdoor, which persists across firmware updates and reboots.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.'s National Cyber Security Centre (NCSC) have revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. The backdoor is assessed to be part of a widespread campaign by an advanced persistent threat (APT) actor targeting Cisco ASA firmware.
FIRESTARTER exploits two now-patched vulnerabilities: CVE-2025-20333 (CVSS 9.9), an improper input validation flaw allowing authenticated remote attackers with valid VPN credentials to execute arbitrary code as root via crafted HTTP requests, and CVE-2025-20362 (CVSS 6.5), an improper input validation flaw allowing unauthenticated remote attackers to access restricted URL endpoints. The malware persists on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining access even after patching.
In the investigated incident, threat actors deployed a post-exploitation toolkit called LINE VIPER, which can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA), suppress syslog messages, harvest user CLI commands, and force delayed reboots. LINE VIPER provided elevated access for FIRESTARTER, which was deployed before September 25, 2025, allowing continued access as recently as last month.
FIRESTARTER is a Linux ELF binary that sets up persistence by manipulating the device's boot sequence via a startup mount list, ensuring it reactivates on every normal reboot. It survives firmware updates and device reboots unless a hard power cycle occurs. The malware installs a hook within LINA, the device's core engine for network processing and security functions, enabling execution of arbitrary shellcode, including deployment of LINE VIPER.
Cisco, tracking the activity under UAT4356 (aka Storm-1849), describes FIRESTARTER as a backdoor that executes arbitrary shellcode received by the LINA process by parsing specially crafted WebVPN authentication requests containing a "magic packet." The exact origins are unknown, though Censys analysis in May 2024 suggested links to China. UAT4356 was first attributed to the ArcaneDoor campaign exploiting zero-days in Cisco gear.
To fully remove FIRESTARTER, Cisco strongly recommends reimaging and upgrading the device using fixed releases. In cases of confirmed compromise, all configuration elements should be considered untrusted. As a temporary mitigation, customers should perform a cold restart by pulling the power cord, as shutdown, reboot, and reload CLI commands do not clear the implant.
The disclosure coincides with a joint advisory from the U.S., U.K., and international partners about large-scale networks of compromised SOHO routers and IoT devices used by China-nexus threat actors like Volt Typhoon and Flax Typhoon for espionage. These covert networks, constantly updated and shared among groups, complicate attribution and defense.