Cybersecurity authorities in the United States and the United Kingdom have issued a joint alert about a previously undocumented malware strain called Firestarter that is capable of maintaining access on Cisco firewall systems even after updates and security patches are applied.
The malware affects Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Investigators have linked the activity to a threat actor tracked by Cisco Talos as UAT-4356, a group associated with espionage-focused operations, including campaigns such as ArcaneDoor.
According to assessments from the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC), the attackers likely gained initial entry by exploiting two vulnerabilities. One is an authorization flaw identified as CVE-2025-20333, and the other is a buffer overflow issue tracked as CVE-2025-20362. Both weaknesses could allow unauthorized access to targeted devices.
In one confirmed case involving a U.S. federal civilian executive branch agency, investigators observed a staged intrusion. The attackers first deployed a tool called Line Viper, which operates as a user-mode shellcode loader. This malware was used to establish VPN connections and extract sensitive configuration data from the device, including administrator credentials, certificates, and private cryptographic keys.
After this initial access phase, the attackers introduced the Firestarter backdoor to ensure continued control. CISA noted that while the precise date of the breach has not been verified, the compromise likely occurred in early September 2025, before the agency applied patches required under Emergency Directive 25-03.
Firestarter is designed to maintain persistence. Once installed, it continues functioning across system reboots, firmware upgrades, and security patching. In addition, if its process is terminated, it is capable of restarting itself automatically.
The malware achieves this persistence by integrating with LINA, a core process within Cisco ASA systems. It uses signal-handling mechanisms to detect termination events and trigger routines that reinstall the malware.
A joint technical analysis from CISA and NCSC found that Firestarter modifies the system’s boot configuration by altering the CSP_MOUNT_LIST file, ensuring that it executes during device startup. It also stores a copy of itself within system log directories and restores its executable into a critical system path, allowing it to run silently in the background.
Separate analysis from Cisco Talos indicates that the persistence mechanism is activated when the system receives a process termination signal, such as during a controlled or “graceful” reboot.
The primary function of Firestarter is to act as a backdoor, providing attackers with remote access to compromised devices. It can also execute arbitrary shellcode supplied by the attacker.
This capability is enabled by modifying an internal XML handler within the LINA process and injecting malicious code directly into memory. Execution is triggered through specially crafted WebVPN requests. Once a built-in identifier is validated, the malware loads and executes attacker-provided payloads in memory without writing them to disk. Authorities have not disclosed details about the specific payloads used in observed incidents.
Cisco has released a security advisory outlining mitigation steps, recommended workarounds, and indicators of compromise to help identify infections. The company advises organizations to fully reimage affected devices and upgrade to fixed software versions, regardless of whether compromise has been confirmed.
To check for signs of infection, administrators are instructed to run a diagnostic command that inspects running processes. If any output is returned indicating the presence of a specific process, the device should be treated as compromised.
As an alternative, Cisco noted that performing a complete power shutdown may remove the malware. However, this approach is not recommended because it introduces the risk of database or disk corruption, which could lead to system instability or boot failures.
To assist with detection, CISA has also released two YARA rules that can identify the Firestarter backdoor when analyzing disk images or memory dumps from affected systems.
There is a noticeable change in how attackers approach the network infrastructure. Instead of focusing only on endpoints such as laptops or servers, threat actors are placing long-term implants directly within security appliances that sit at the edge of enterprise networks.
Firestarter introduces a specific operational challenge. Even after vulnerabilities are patched, the implanted malware remains active because it embeds itself within core system processes and startup routines. This separates the persistence mechanism from the original point of entry.
The use of in-memory execution through WebVPN requests also reduces visibility. Since payloads are not written to disk, traditional file-based detection methods may not identify malicious activity.
For defenders, this means that patching alone cannot be treated as confirmation that a system is secure. Additional validation steps are required, including process inspection, firmware integrity checks, and monitoring for abnormal behavior in network appliances.
The incident also reinforces the importance of restricting exposure of management interfaces and ensuring that critical infrastructure devices are continuously monitored, not just periodically updated.
