Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
The backdoor has been attributed to a threat actor that Cisco Talos tracks internally as UAT-4356, known for cyberespionage campaigns, including ArcaneDoor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) believe that the adversary obtained initial access by exploiting a missing authorization issue (CVE-2025-20333) and/or a buffer overflow bug (CVE-2025-20362).
In one incident at a federal civilian executive branch agency, CISA observed the threat actor first deploying the Line Viper malware, a user-mode shellcode loader, and then using Firestarter, which enables continued access even after patching.
“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert.
Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices.
Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.
Once Firestarter nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated.
Persistence is achieved by hooking into LINA, the core Cisco ASA process, and using signal handlers that trigger reinstallation routines.
A joint malware analysis report from the two cybersecurity agencies explains that Firestarter modifies the CSP_MOUNT_LIST boot/mount file to ensure execution on startup, stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores it to /usr/bin/lina_cs, where it runs in the background.
Cisco Talos also published its analysis of the malware, saying that the persistence mechanism is triggered when a process termination signal is received, also known as a graceful reboot.
The researchers noted in the Firestarter report that the backdoor used the commands below to set persistence for itself:
Source: Cisco
The implant’s core function is to act as a backdoor for remote access, while it can also execute attacker-provided shellcode.
This is done through a mechanism in which Firestarter hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path.
This shellcode is triggered by a specially crafted WebVPN request, which, after validating a hardcoded identifier, loads and executes attacker-supplied payloads directly in memory.
However, CISA did not provide any details on the specific payloads observed in attacks.
Cisco published a security advisory about Firestarter that contains mitigations and workarounds for removing the persistence mechanism, as well as indicators of compromise for discovering the Firestarter implant.
The vendor “strongly recommends reimaging and upgrading the device using the fixed releases,” which covers both compromised and non-compromised cases.
To determine a compromise, administrators should run the ‘show kernel process | include lina_cs’ command. For any resulting output, the device should be considered compromised.
If device re-imaging is not currently possible, Cisco says that a cold restart (disconnecting the device power) removes the malware. However, this alternative is not recommended as it carries the risk of database or disk corruption, leading to boot problems.
CISA has also shared two YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump from a device.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
