Firestarter malware evades Cisco firewall updates and patches

Cybersecurity authorities in both the United States and the United Kingdom have issued urgent warnings regarding a custom-built backdoor known as Firestarter, which has been found persisting on Cisco Firepower and Secure Firewall appliances. These devices run either Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, and the malware has proven resilient even after official patches and firmware updates are applied.

The Firestarter malware is linked to a threat actor tracked internally by Cisco Talos as UAT-4356, a group already known for conducting cyberespionage operations, including the ArcaneDoor campaign. According to the U. S. Cybersecurity and Infrastructure Security Agency (CISA) and the U. K. National Cyber Security Centre (NCSC), the adversary likely gained initial access by exploiting two distinct vulnerabilities: a missing authorization issue tracked as CVE-2025-20333 and a buffer overflow bug identified as CVE-2025-20362.

In one confirmed incident at a federal civilian executive branch agency, CISA observed the attacker first deploying Line Viper, a user-mode shellcode loader, before introducing Firestarter. This sequence allowed the intruder to maintain access even after the organization applied security patches. CISA assesses that the initial compromise occurred in early September 2025, before the agency implemented fixes in accordance with emergency directive ED 25-03.

Line Viper serves as a preliminary tool, enabling the attacker to establish VPN sessions and extract all device configuration data, including administrative credentials, certificates, and private keys from compromised Firepower devices. Once that foothold is secured, the ELF binary for the Firestarter backdoor is introduced to ensure persistence, granting the threat actor the ability to regain access at any time.

What makes Firestarter particularly dangerous is its ability to survive reboots, firmware updates, and security patches. Even if the backdoor process is manually terminated, it automatically relaunches. This persistence is achieved by hooking into LINA, the core Cisco ASA process, and using signal handlers that trigger reinstallation routines. Specifically, the malware modifies the CSPMOUNTLIST boot and mount file to execute on startup, stores a copy of itself in `/opt/cisco/platform/logs/var/log/svcsamcore.log`, and restores it to `/usr/bin/linacs`, where it runs in the background.

Cisco Talos published its own analysis, noting that the persistence mechanism activates when a process termination signal is received, such as during a graceful reboot. The backdoor’s primary function is to act as a remote access implant, but it can also execute attacker-supplied shellcode. This is accomplished by hooking into LINA through a modified XML handler, injecting shellcode into memory, and creating a controlled execution path. The shellcode is triggered by a specially crafted WebVPN request that validates a hardcoded identifier before loading and executing payloads directly in memory. CISA has not disclosed specific payloads observed in these attacks.

Cisco has released a security advisory for Firestarter that includes mitigations and workarounds for removing the persistence mechanism, along with indicators of compromise (IoCs) for detection. The vendor strongly recommends reimaging and upgrading the device using fixed software releases, a measure applicable to both compromised and non-compromised systems. To check for compromise, administrators should run the command `show kernel process | include lina_cs`. If any output is returned, the device should be considered infected.

If reimaging is not immediately feasible, Cisco notes that a cold restart , disconnecting the device from power , can remove the malware. However, this method is not recommended due to the risk of database or disk corruption, which can cause boot failures. For additional detection, CISA has shared two YARA rules that can identify the Firestarter backdoor when applied to a disk image or a core dump from an affected device.