FIRESTARTER: APT Backdoor on Cisco ASA/Firepower Devices Survives Patching — Federal Agency Confirmed Compromised
Introduction
CISA and the UK's NCSC have jointly published a malware analysis report confirming that a US Federal Civilian Executive Branch (FCEB) agency's Cisco Firepower device — running Adaptive Security Appliance (ASA) software — was compromised in September 2025 by a previously undisclosed backdoor named FIRESTARTER. The most important detail isn't the breach itself; it's that patching the underlying CVEs does not remove FIRESTARTER. The implant is engineered to survive firmware updates and reboots through process-resurrection logic and manipulation of the Cisco Service Platform mount list. If you patched ED 25-03 vulnerabilities last September and called it done, your edge is still on the menu.
What Happened
In September 2025, CISA issued Emergency Directive 25-03 ordering federal agencies to patch two ASA vulnerabilities — CVE-2025-20333 (a CWE-862 missing authorization flaw allowing RCE for users with VPN credentials) and CVE-2025-20362 (a CWE-120 buffer overflow letting unauthenticated attackers reach restricted endpoints via crafted HTTP requests). Cisco's Talos team and CISA both attributed the campaign to UAT-4356, an APT actor focused on espionage. The attackers' standard post-exploitation implant was a tool called LINE VIPER.
What the September advisory didn't say is what CISA confirmed publicly on April 23, 2026: while monitoring FCEB networks, CISA detected suspicious connections on one agency's Firepower ASA device. Forensic analysis identified an entirely different implant — FIRESTARTER — that the same actor had deployed as a persistence mechanism. UAT-4356's playbook is now clear: gain access via the n-day, drop LINE VIPER for hands-on operations, then drop FIRESTARTER to keep the device on a leash even after the victim patches.
FIRESTARTER is a Linux ELF binary that targets the Firepower eXtensible Operating System (FXOS) and executes arbitrary code inside the LINA process — the C/C++ daemon that is the heart of every ASA and FTD appliance. Its persistence trick is simple but effective: it manipulates the Cisco Service Platform's mount list and intercepts process termination signals to immediately respawn itself. A standard reboot does not clear it. A firmware update does not clear it. Talos notes that only a hard power cycle removes the implant after a process termination signal is received — and even that depends on the disk artifacts not being re-applied at boot.
The FCEB agency in question patched the September CVEs as required by ED 25-03. FIRESTARTER stayed. CISA's Acting Director Nick Andersen put the conclusion plainly: "FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software," and patching alone does not constitute remediation.
CISA has updated ED 25-03 with new mandatory actions for federal agencies: collect device core dumps and submit them through CISA's Malware Next Generation (MNG) platform, which analyzes core dumps for the presence and behavior of the modified lina_cs binary. Federal agencies are required to comply; CISA strongly urges everyone else to do the same.
Why It Matters
A compromised network edge device is a defender's worst position. The firewall sits in line with every authentication, every VPN session, every internal traffic flow. UAT-4356's combination of LINE VIPER for access and FIRESTARTER for persistence converts the firewall into a long-lived foothold for credential harvesting, internal reconnaissance, and lateral pivoting — all from a position where IDS, EDR, and SIEM cannot see the traffic. The fact that ordinary patching workflows do not evict the implant means most organizations that responded to ED 25-03 still have active risk on their Cisco edge today, and they don't know it.
The campaign also matters because the same TTPs are presumably being used against private-sector Cisco ASA/FTD deployments. CISA only has visibility into FCEB networks; the malware analysis was published precisely so private organizations can hunt for the implant themselves.
Who Is Affected
- All Cisco ASA and FTD software running on Firepower or Secure Firewall appliances
- Any environment that patched ED 25-03 in September 2025 without performing a memory or core-dump forensic check afterwards
- Federal civilian executive branch agencies (mandatory action per V1: ED 25-03)
- Internet-exposed ASA/FTD instances — particularly those with SSL VPN endpoints that were potentially exploited via CVE-2025-20333
- Private-sector enterprises with Cisco edge devices that were unpatched at any point during the exploitation window (June–September 2025)
How to Protect Yourself
Step 1: Inventory every Cisco Firepower / ASA / Secure Firewall in your environment. The hunt only works if you know what you have.
# From a NetOps host with credentials to your devices, against an inventory list
for host in $(cat cisco_devices.txt); do
ssh admin@"$host" 'show version | include "Cisco|Adaptive|Firepower|FTD"; show inventory'
done
Step 2: Generate a core dump from each device and submit it to CISA's MNG platform (per ED 25-03 supplemental direction). On ASA:
ciscoasa# verify core
ciscoasa# show coredump
ciscoasa# write standby # if HA pair
ciscoasa(config)# coredump enable
# Trigger a core dump per Cisco TAC procedure
For FTD devices, follow Cisco's show tech-support and core-dump capture procedure documented in the Supplemental Direction.
CISA's submission portal: Malware Next Generation Analysis.
Step 3: Run the CISA YARA rules locally. CISA published YARA rules in malware analysis report AR26-113A. Apply them to a disk image or core dump with yara:
yara -r firestarter.yar /path/to/coredump.bin
yara -r firestarter.yar /path/to/disk_image.dd
Step 4: Review egress and management plane logs from Cisco edge devices for the full June 2025 → present window. Look for:
- Outbound connections from the firewall management plane to unfamiliar IPs (FIRESTARTER's C2 communications appear inside the LINA process — they look like legitimate ASA management traffic).
- Authentication anomalies on
aaa/ SSL VPN sessions from the period before patches were applied. - Unexpected
show techorshow captureactivity that wasn't initiated by your team.
Step 5: Hard-power-cycle devices that test positive. A soft reboot or firmware reflash is not enough. Schedule a complete power cycle (full power loss, not graceful shutdown), then re-image the device using only Cisco-signed media verified out-of-band:
ciscoasa(config)# verify /md5 disk0:/asa-image.bin
# Compare hash to Cisco-signed advisory checksum, NOT against hash from compromised device
Step 6: Rotate all credentials that the device handled — RADIUS/TACACS+ shared secrets, IPsec PSKs, AnyConnect/SSL VPN user credentials, certificate private keys (regenerate, don't just renew), and any service-account passwords reachable via VPN. UAT-4356 is an espionage actor; assume credential and certificate material exfiltrated.
Step 7: Harden the management plane against re-compromise.
- Restrict management access to
mgmt0only — never on the data interface. - Enforce MFA on all administrative access (
aaa authentication ssh console LOCALis not enough). - Move from RADIUS/TACACS+ over UDP to TACACS+ over TLS 1.3 as CISA explicitly recommends in the report.
- Set
service password-encryptionand auditenable secretstrength. - Subscribe to Cisco PSIRT advisories and patch n-days within the 7-day window CISA's CPG 2.0 expects.
Step 8: Report findings. If you locate FIRESTARTER, report immediately to CISA (1-844-Say-CISA / [email protected]) or the NCSC. Coordinated reporting helps trace the campaign's full footprint.
Source
- The Hacker News — FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
- CISA — FIRESTARTER Backdoor Malware Analysis Report (AR26-113A)
- CISA — Warning on FIRESTARTER Targeting Cisco ASA / Firepower / Secure Firewall
- Cisco Talos — UAT-4356's Targeting of Cisco Firepower Devices
- CISA Emergency Directive 25-03