FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

The Cybersecurity and Infrastructure Security Agency (CISA) of the US revealed that the company’s Cisco Firepower that uses Adaptive Security Appliance (ASA) software was compromised in September 2025 by malware called. FIRESTARTER.

FIRESTARTER, by CISA and the UK’s National Cyber ​​Security Center (NCSC), is being tested as a backdoor designed for remote access and control. It is believed to be distributed as part of a “broader” campaign organized by an Advanced Persistent threat (APT) actor to gain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting currently investigated security flaws such as –

• CVE-2025-20333 (CVSS Score: 9.9) – Improper authentication of user-supplied input vulnerability could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests.
• CVE-2025-20362 (CVSS Score: 6.5) – Improper validation of user-supplied input vulnerability could allow an unauthenticated, remote attacker to reach the endpoint of a restricted URL without authentication by sending crafted HTTP requests.

“FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-attachment persistence and allowing threat actors to regain access to vulnerable devices without re-applying the vulnerability,” the organizations said.

In the investigated incident, the threat actors were found to be using a post-exploitation toolkit called LINE VIPER that can execute CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) on the actor’s devices, suppress syslog messages, harvest user CLI commands, and initiate latency.

The elevated access provided by LINE VIPER served as a FIRESTARTER tunnel, which was used on the Firepower device before September 25, 2025, allowing threat actors to maintain continued access and return to a vulnerable device as recently as last month.

A Linux ELF binary, FIRESTARTER can set persistence on a device, and survive firmware updates and device reboots unless a hard power cycle occurs. The malware inserts itself into the device’s boot system by manipulating the boot list, ensuring that it runs automatically every time the device reboots normally. Durability aside, it also shares some degree of overlap with a previously written bootkit called RayInitiator.

“FIRESTARTER attempts to insert a hook – a way to prevent and modify normal functions – inside LINA, the device’s main engine for processing network and security functions,” according to the advisory. “This hook enables the arbitrary execution of shellcode provided by APT actors, including the use of LINE VIPER.”

“Although the Cisco patches address CVE-2025-20333 and CVE-2025-20362, devices that were compromised prior to the patch may remain vulnerable because FIRESTARTER is not removed by firmware updates.”

Cisco, which tracked the exploit activity related to the two vulnerabilities under the moniker UAT4356 (also known as Storm-1849), described FIRESTARTER as a backend that facilitates the extraction of the shell code obtained by the LINA process by passing specially designed WebVPN authentication requests containing “.

The exact origin of the threat activity is unknown, although analysis from the attack control platform Censys in May 2024 suggested links to China. UAT4356 was initially attributed to a campaign called ArcaneDoor that exploited two zero-day flaws in Cisco network gear to deliver malware capable of capturing network traffic and re-examination.

“To completely remove the persistence method, Cisco strongly recommends re-identifying and upgrading the device,” Cisco said. “In the event of a confirmed downgrade on any Cisco Secure ASA or FTD platform, all configuration aspects of the device should be considered untrusted.”

Since scaling down to recalibration is not possible, the company recommends that customers perform a cold reboot to remove the FIRESTARTER installation. “Shutdown, reboot, and reload CLI commands will not clear the malicious installation in progress, the power cord must be removed and reconnected to the device,” it added.

Chinese Hackers Move From Privately Purchased Infrastructure to Hiding Networks

The disclosure comes as the US, UK, and various international partners issued a joint advisory about large networks of vulnerable SOHO routers and IoT devices controlled by China-nexus threat actors to hide their espionage attacks and countermeasures efforts.

Government-sponsored groups like Volt Typhoon and Flax Typhoon have been using these bots, which include home routers, security cameras, video recorders, and other IoT devices, to target critical infrastructure sectors and conduct cyber espionage in a “low-cost, low-risk, deniable manner,” according to the warning.

Complicating matters is that networks are constantly updated, not to mention multiple threat groups affiliated with China may be using the same botnet at the same time, making it challenging for defenders to identify and block them using static IP blocklists.

“Hidden networks typically include vulnerable SOHO routers, but they also target any vulnerable device they can exploit at a high level,” the organizations said. “Their traffic will be routed through multiple compromised devices, used as transit nodes, before exiting the network at an exit point, usually at the same location as the target.”

The findings underscore a common pattern seen in government-sponsored attacks: the targeting of network perimeter devices on residential, business, and government networks with the intent of proxies or severing sensitive data and communications.