A sophisticated backdoor malware called Firestarter has been discovered that maintains persistence on Cisco firewall devices even after security patches and firmware updates, allowing threat actors continued access to compromised networks.
Firestarter malware survives Cisco firewall updates, security patches
Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter that has been persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The backdoor, which maintains persistence across reboots, firmware updates, and security patches, has been attributed to a threat actor tracked internally by Cisco Talos as UAT-4356, known for cyberespionage campaigns including ArcaneDoor.
According to joint analysis from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC), the adversary likely obtained initial access by exploiting a missing authorization issue (CVE-2025-20333) and/or a buffer overflow bug (CVE-2025-20362). In one incident at a federal civilian executive branch agency, CISA observed the threat actor first deploying the Line Viper malware, a user-mode shellcode loader, followed by Firestarter, which enables continued access even after patching.
"CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03," the agency notes in an alert.
Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices. Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.
Once Firestarter nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated. Persistence is achieved by hooking into LINA, the core Cisco ASA process, and using signal handlers that trigger reinstallation routines.
A joint malware analysis report from the two cybersecurity agencies explains that Firestarter modifies the CSP_MOUNT_LIST boot/mount file to ensure execution on startup, stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores it to /usr/bin/lina_cs, where it runs in the background.
Cisco Talos also published its analysis of the malware, noting that the persistence mechanism is triggered when a process termination signal is received, also known as a graceful reboot. The researchers observed in the Firestarter report that the backdoor used specific commands to establish persistence for itself.
The implant's core function is to act as a backdoor for remote access, while it can also execute attacker-provided shellcode. This is done through a mechanism in which Firestarter hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path. This shellcode is triggered by a specially crafted WebVPN request, which, after validating a hardcoded identifier, loads and executes attacker-supplied payloads directly in memory.
However, CISA did not provide details on the specific payloads observed in attacks.
Cisco has published a security advisory about Firestarter that contains mitigations and workarounds for removing the persistence mechanism, as well as indicators of compromise for discovering the Firestarter implant. The vendor "strongly recommends reimaging and upgrading the device using the fixed releases," which covers both compromised and non-compromised cases.
To determine a compromise, administrators should run the 'show kernel process | include lina_cs' command. For any resulting output, the device should be considered compromised.
If device re-imaging is not currently possible, Cisco says that a cold restart (disconnecting the device power) removes the malware. However, this alternative is not recommended as it carries the risk of database or disk corruption, leading to boot problems.
CISA has also shared two YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump from a device.
Security experts emphasize that this malware represents a significant threat because it can survive standard patching procedures, potentially allowing attackers to maintain long-term access to network infrastructure. Organizations using affected Cisco devices should prioritize checking for indicators of compromise and implementing the recommended remediation steps.
For more information:
Comments
Please log in or register to join the discussion