Firestarter Malware Survives Cisco Firewall Updates and Security Patches

What happened

CISA and the UK’s NCSC have issued a joint warning about a custom backdoor called Firestarter that persists on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. The malware has been attributed to UAT-4356, a cyberespionage threat actor previously linked to the ArcaneDoor campaign.

Initial access is assessed to have occurred through exploitation of two vulnerabilities: a missing authorization issue tracked as CVE-2025-20333 and a buffer overflow bug tracked as CVE-2025-20362. In one confirmed incident at a federal civilian executive branch agency, attackers first deployed Line Viper, a user-mode shellcode loader that establishes VPN sessions and extracts administrative credentials, certificates, and private keys from compromised Firepower devices. Firestarter was then deployed as the persistence mechanism.

Firestarter achieves persistence by hooking into LINA, the core Cisco ASA process, and modifying the CSP_MOUNT_LIST boot file to ensure execution on startup. It stores a copy of itself in a log file path and restores to /usr/bin/lina_cs if removed. A signal handler triggers reinstallation when a process termination signal is received, meaning even a graceful reboot reactivates the implant. Its core function is remote access, with the ability to execute attacker-supplied shellcode delivered via specially crafted WebVPN requests that validate a hardcoded identifier before loading payloads directly into memory.

CISA assessed the compromise at the federal agency occurred in early September 2025, before patches were applied under Emergency Directive 25-03. Cisco has published a security advisory with mitigations, indicators of compromise, and YARA rules. The vendor strongly recommends reimaging affected devices using fixed releases. A cold restart removes the malware but risks database and disk corruption. Administrators can check for compromise by running the command show kernel process | include lina_cs and treating any output as an indicator of active infection.

Who is affected

Organizations running Cisco Firepower or Secure Firewall devices on ASA or FTD software are directly in scope. A confirmed compromise at a federal civilian agency indicates the campaign has already reached government infrastructure. Given UAT-4356’s documented focus on cyberespionage, organizations in government, defense, critical infrastructure, and sectors handling sensitive data face the most targeted risk.

Why CISOs should care

A backdoor that survives patching on a security device is a particularly serious category of threat. Organizations that patched CVE-2025-20333 and CVE-2025-20362 in good faith may still have active Firestarter implants running on their Cisco devices if the initial compromise occurred before those patches were applied. The malware’s design specifically anticipates remediation attempts and reinstalls itself in response to them.

For security leaders, this is a reminder that patching a vulnerability does not remediate an active compromise. Detection and reimaging must follow any confirmed or suspected exploitation of these devices, not patching alone.

3 practical actions

1. Run the Cisco detection command on all Firepower and Secure Firewall devices immediately: Execute show kernel process | include lina_cs on every ASA and FTD device in your environment. Any output from this command should be treated as evidence of an active Firestarter infection requiring immediate isolation and reimaging.
2. Reimage confirmed or suspected compromised devices rather than patching in place: Cisco explicitly recommends reimaging over patching for both compromised and non-compromised devices running affected software. Apply CISA’s published YARA rules to disk images or core dumps to support detection before reimaging.
3. Rotate all credentials and certificates extracted from affected devices: Line Viper is specifically designed to harvest administrative credentials, certificates, and private keys from compromised Firepower devices before Firestarter is deployed. Treat all credentials associated with any device that may have been exposed as compromised and rotate them regardless of whether Firestarter infection is confirmed.

Also in the news today:

• Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
• Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks
• ADT Confirms Data Breach After ShinyHunters Leak Threat
• Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite
• Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
• NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software
• Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions

Evan Rowe

+ postsBio ⮌

• Evan Rowe

  CISOs to Watch: Michigan’s IT Security Leaders Are Solving Problems Far Beyond State Lines
• Evan Rowe

  FTC: Americans Lost Over $2.1 Billion to Social Media Scams in 2025
• Evan Rowe

  Canada Arrests Three for Operating SMS Blaster Device in Toronto
• Evan Rowe

  Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202