FIRESTARTER: APT Backdoor on Cisco ASA/Firepower Devices Survives Patching — Federal Agency Confirmed Compromised

Introduction

CISA and the UK's NCSC have jointly published a malware analysis report confirming that a US Federal Civilian Executive Branch (FCEB) agency's Cisco Firepower device — running Adaptive Security Appliance (ASA) software — was compromised in September 2025 by a previously undisclosed backdoor named FIRESTARTER. The most important detail isn't the breach itself; it's that patching the underlying CVEs does not remove FIRESTARTER. The implant is engineered to survive firmware updates and reboots through process-resurrection logic and manipulation of the Cisco Service Platform mount list. If you patched ED 25-03 vulnerabilities last September and called it done, your edge is still on the menu.

What Happened

In September 2025, CISA issued Emergency Directive 25-03 ordering federal agencies to patch two ASA vulnerabilities — CVE-2025-20333 (a CWE-862 missing authorization flaw allowing RCE for users with VPN credentials) and CVE-2025-20362 (a CWE-120 buffer overflow letting unauthenticated attackers reach restricted endpoints via crafted HTTP requests). Cisco's Talos team and CISA both attributed the campaign to UAT-4356, an APT actor focused on espionage. The attackers' standard post-exploitation implant was a tool called LINE VIPER.

What the September advisory didn't say is what CISA confirmed publicly on April 23, 2026: while monitoring FCEB networks, CISA detected suspicious connections on one agency's Firepower ASA device. Forensic analysis identified an entirely different implant — FIRESTARTER — that the same actor had deployed as a persistence mechanism. UAT-4356's playbook is now clear: gain access via the n-day, drop LINE VIPER for hands-on operations, then drop FIRESTARTER to keep the device on a leash even after the victim patches.

FIRESTARTER is a Linux ELF binary that targets the Firepower eXtensible Operating System (FXOS) and executes arbitrary code inside the LINA process — the C/C++ daemon that is the heart of every ASA and FTD appliance. Its persistence trick is simple but effective: it manipulates the Cisco Service Platform's mount list and intercepts process termination signals to immediately respawn itself. A standard reboot does not clear it. A firmware update does not clear it. Talos notes that only a hard power cycle removes the implant after a process termination signal is received — and even that depends on the disk artifacts not being re-applied at boot.

The FCEB agency in question patched the September CVEs as required by ED 25-03. FIRESTARTER stayed. CISA's Acting Director Nick Andersen put the conclusion plainly: "FIRESTARTER can persist as an active threat on Cisco ASA devices or FTD software," and patching alone does not constitute remediation.

CISA has updated ED 25-03 with new mandatory actions for federal agencies: collect device core dumps and submit them through CISA's Malware Next Generation (MNG) platform, which analyzes core dumps for the presence and behavior of the modified lina_cs binary. Federal agencies are required to comply; CISA strongly urges everyone else to do the same.

Why It Matters

A compromised network edge device is a defender's worst position. The firewall sits in line with every authentication, every VPN session, every internal traffic flow. UAT-4356's combination of LINE VIPER for access and FIRESTARTER for persistence converts the firewall into a long-lived foothold for credential harvesting, internal reconnaissance, and lateral pivoting — all from a position where IDS, EDR, and SIEM cannot see the traffic. The fact that ordinary patching workflows do not evict the implant means most organizations that responded to ED 25-03 still have active risk on their Cisco edge today, and they don't know it.

The campaign also matters because the same TTPs are presumably being used against private-sector Cisco ASA/FTD deployments. CISA only has visibility into FCEB networks; the malware analysis was published precisely so private organizations can hunt for the implant themselves.

Who Is Affected

  • All Cisco ASA and FTD software running on Firepower or Secure Firewall appliances
  • Any environment that patched ED 25-03 in September 2025 without performing a memory or core-dump forensic check afterwards
  • Federal civilian executive branch agencies (mandatory action per V1: ED 25-03)
  • Internet-exposed ASA/FTD instances — particularly those with SSL VPN endpoints that were potentially exploited via CVE-2025-20333
  • Private-sector enterprises with Cisco edge devices that were unpatched at any point during the exploitation window (June–September 2025)

How to Protect Yourself

Step 1: Inventory every Cisco Firepower / ASA / Secure Firewall in your environment. The hunt only works if you know what you have.

# From a NetOps host with credentials to your devices, against an inventory list
for host in $(cat cisco_devices.txt); do
  ssh admin@"$host" 'show version | include "Cisco|Adaptive|Firepower|FTD"; show inventory'
done

Step 2: Generate a core dump from each device and submit it to CISA's MNG platform (per ED 25-03 supplemental direction). On ASA:

ciscoasa# verify core
ciscoasa# show coredump
ciscoasa# write standby   # if HA pair
ciscoasa(config)# coredump enable
# Trigger a core dump per Cisco TAC procedure

For FTD devices, follow Cisco's show tech-support and core-dump capture procedure documented in the Supplemental Direction.

CISA's submission portal: Malware Next Generation Analysis.

Step 3: Run the CISA YARA rules locally. CISA published YARA rules in malware analysis report AR26-113A. Apply them to a disk image or core dump with yara:

yara -r firestarter.yar /path/to/coredump.bin
yara -r firestarter.yar /path/to/disk_image.dd

Step 4: Review egress and management plane logs from Cisco edge devices for the full June 2025 → present window. Look for:

  • Outbound connections from the firewall management plane to unfamiliar IPs (FIRESTARTER's C2 communications appear inside the LINA process — they look like legitimate ASA management traffic).
  • Authentication anomalies on aaa / SSL VPN sessions from the period before patches were applied.
  • Unexpected show tech or show capture activity that wasn't initiated by your team.

Step 5: Hard-power-cycle devices that test positive. A soft reboot or firmware reflash is not enough. Schedule a complete power cycle (full power loss, not graceful shutdown), then re-image the device using only Cisco-signed media verified out-of-band:

ciscoasa(config)# verify /md5 disk0:/asa-image.bin
# Compare hash to Cisco-signed advisory checksum, NOT against hash from compromised device

Step 6: Rotate all credentials that the device handled — RADIUS/TACACS+ shared secrets, IPsec PSKs, AnyConnect/SSL VPN user credentials, certificate private keys (regenerate, don't just renew), and any service-account passwords reachable via VPN. UAT-4356 is an espionage actor; assume credential and certificate material exfiltrated.

Step 7: Harden the management plane against re-compromise.

  • Restrict management access to mgmt0 only — never on the data interface.
  • Enforce MFA on all administrative access (aaa authentication ssh console LOCAL is not enough).
  • Move from RADIUS/TACACS+ over UDP to TACACS+ over TLS 1.3 as CISA explicitly recommends in the report.
  • Set service password-encryption and audit enable secret strength.
  • Subscribe to Cisco PSIRT advisories and patch n-days within the 7-day window CISA's CPG 2.0 expects.

Step 8: Report findings. If you locate FIRESTARTER, report immediately to CISA (1-844-Say-CISA / [email protected]) or the NCSC. Coordinated reporting helps trace the campaign's full footprint.

Source