FIRESTARTER Backdoor Compromises Federal Cisco Firepower Device, Evades Security Patches
In a significant cybersecurity breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported that a federal civilian agency’s Cisco Firepower device, operating on Adaptive Security Appliance (ASA) software, was compromised in September 2025 by a new malware identified as FIRESTARTER. This incident highlights the vulnerabilities within critical infrastructure and the persistent threats posed by advanced persistent threat (APT) actors.
Overview of the FIRESTARTER Malware
CISA, in collaboration with the U.K.’s National Cyber Security Centre (NCSC), has assessed FIRESTARTER as a backdoor designed for remote access and control. This malware is believed to be part of a broader campaign aimed at exploiting Cisco ASA firmware vulnerabilities. Specifically, it has leveraged now-patched security flaws, including:
- CVE-2025-20333 (CVSS score: 9.9): This vulnerability allows an authenticated remote attacker with valid VPN credentials to execute arbitrary code as root on the device by sending crafted HTTP requests.
- CVE-2025-20362 (CVSS score: 6.5): This flaw permits an unauthenticated remote attacker to access restricted URL endpoints without authentication through crafted HTTP requests.
CISA and NCSC noted that FIRESTARTER can persist as an active threat on devices running ASA or Firepower Threat Defense (FTD) software, allowing threat actors to regain access without needing to re-exploit vulnerabilities.
Deployment of LINE VIPER Toolkit
In the incident under investigation, threat actors utilized a post-exploitation toolkit known as LINE VIPER. This toolkit is capable of executing command-line interface (CLI) commands, performing packet captures, bypassing VPN Authentication, Authorization, and Accounting (AAA), suppressing syslog messages, harvesting user CLI commands, and forcing delayed reboots. The access provided by LINE VIPER facilitated the deployment of FIRESTARTER on the Firepower device prior to September 25, 2025.
FIRESTARTER is a Linux ELF binary that establishes persistence on the device, surviving firmware updates and reboots unless a hard power cycle occurs. It embeds itself into the device’s boot sequence by manipulating a startup mount list, ensuring it reactivates with each normal reboot. This resilience has drawn comparisons to a previously documented bootkit known as RayInitiator.
Implications of the Compromise
Despite Cisco’s patches addressing CVE-2025-20333 and CVE-2025-20362, devices compromised before these updates may still be vulnerable, as FIRESTARTER is not removed by firmware updates. Cisco is tracking the exploitation activity associated with these vulnerabilities under the designation UAT4356 (also referred to as Storm-1849). The company has described FIRESTARTER as a backdoor that enables the execution of arbitrary shellcode via specially crafted WebVPN authentication requests containing a “magic packet.”
The origins of this threat activity remain unclear, but an analysis from Censys in May 2024 suggested potential links to China. UAT4356 was initially attributed to a campaign named ArcaneDoor, which exploited zero-day vulnerabilities in Cisco networking equipment to deliver custom malware capable of capturing network traffic.
Recommendations for Mitigation
To fully eliminate the persistence mechanism of FIRESTARTER, Cisco strongly recommends reimaging and upgrading the affected device using fixed releases. In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be treated as untrusted. Until reimaging can be performed, Cisco advises customers to conduct a cold restart to remove the FIRESTARTER implant, emphasizing that standard shutdown and reboot commands will not suffice; the power cord must be disconnected and reconnected.
Broader Context: Covert Networks and State-Sponsored Threats
This disclosure aligns with a joint advisory released by the U.S., U.K., and various international partners regarding large-scale networks of compromised SOHO routers and IoT devices exploited by China-nexus threat actors. These actors utilize these networks to obscure their espionage activities and complicate attribution efforts.
State-sponsored groups, including Volt Typhoon and Flax Typhoon, have leveraged these botnets—comprising home routers, security cameras, and other IoT devices—to target critical infrastructure sectors and conduct cyber espionage in a cost-effective and deniable manner. The dynamic nature of these networks, which are frequently updated, poses challenges for defenders attempting to identify and block malicious activity using static IP blocklists.
The findings underscore a prevalent pattern in state-sponsored attacks: targeting network perimeter devices across residential, enterprise, and government networks to convert them into proxy nodes or intercept sensitive data. Sergey Shykevich, group manager of threat intelligence at Check Point Software, noted that China-nexus activity in 2025 focused on edge and perimeter infrastructure, which often remains unpatched and provides a low-visibility foothold into compromised environments.
Shykevich emphasized the operational scale and maturity reflected in the advisory’s findings, indicating that multiple actor groups are running these networks in parallel and sometimes sharing them. This level of sophistication should raise concerns for organizations operating critical infrastructure or government systems. Detection alone is insufficient; prevention must extend to every point in the connectivity fabric, including often-overlooked infrastructure.
For further details on this incident and its implications, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
