Hackers Exploit Cisco Firepower Devices With N-Day Flaws to Deploy FIRESTARTER Backdoor
6 min. read 
Published on
State-sponsored hackers are exploiting previously disclosed Cisco vulnerabilities to deploy a custom backdoor called FIRESTARTER on Cisco Firepower devices. Cisco Talos attributed the activity to UAT-4356, the same espionage-focused threat group linked to the earlier ArcaneDoor campaign.
The attackers are abusing two n-day flaws, CVE-2025-20333 and CVE-2025-20362, which affect Cisco Secure ASA Software and Cisco Secure Firewall Threat Defense Software. Cisco and CISA previously warned that the vulnerabilities were under active exploitation, and CISA updated Emergency Directive 25-03 after new FIRESTARTER malware details emerged.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
FIRESTARTER gives attackers unauthorized remote access and control by executing code inside the LINA process, a core component used by Cisco ASA and FTD appliances running FXOS. Cisco Talos said the malware shows significant technical sophistication and targets perimeter security devices that often protect sensitive enterprise and government networks.
FIRESTARTER targets the LINA process
Cisco Talos said FIRESTARTER runs inside LINA, which handles key ASA and FTD functions. By placing shellcode inside that process, attackers can intercept and respond to WebVPN traffic while hiding their activity inside normal device operations.
The malware searches LINA memory for specific byte markers and a suitable executable memory range. It then copies a second-stage shellcode payload into memory and overwrites an internal handler used for WebVPN XML processing.
When a WebVPN request contains a specific custom prefix, FIRESTARTER executes the attacker’s shellcode. If the request does not contain that marker, the malware forwards it to the original handler, which helps it avoid obvious disruption during normal traffic.
Cisco says the campaign uses known flaws
| Item | Detail |
|---|---|
| Threat actor | UAT-4356 |
| Malware | FIRESTARTER |
| Targeted products | Cisco Firepower and Secure Firewall devices running ASA or FTD software |
| Abused vulnerabilities | CVE-2025-20333 and CVE-2025-20362 |
| Attack type | N-day exploitation followed by custom backdoor deployment |
| Main target process | LINA |
| Primary risk | Unauthorized remote access and code execution |
| CISA action | Updated Emergency Directive 25-03 and released related guidance |
CVE-2025-20333 is tied to remote code execution in affected Cisco ASA and FTD software, while CVE-2025-20362 is tied to privilege escalation or restricted access bypass behavior. CISA lists both vulnerabilities in its Emergency Directive material and said agencies must identify and mitigate potential Cisco device compromise.
Cisco’s advisory says attackers have used affected ASA and FTD releases in real attacks. The company recommends upgrading to fixed software releases and following its published guidance for affected systems.
Persistence depends on graceful reboot behavior
FIRESTARTER uses an unusual persistence method. Cisco Talos said the malware manipulates the Cisco Service Platform mount list so it can run again during a graceful reboot.
During shutdown, the implant copies itself to a backup log file and modifies the mount list so the payload can return during boot. After execution, it restores the original mount list and removes temporary traces, reducing the chance that administrators will notice the tampering.
This mechanism also creates an important recovery detail. Cisco Talos said administrators can remove the transient implant by performing a hard reboot, such as disconnecting the device from power, because the malware relies on runlevel behavior during a graceful shutdown and restart.
CISA and partners warn about continued risk
CISA updated Emergency Directive 25-03 on April 23, 2026, after U.S. and U.K. authorities identified FIRESTARTER malware on Cisco devices. The directive focuses on identifying, analyzing, and mitigating potential compromise of Cisco ASA and Firepower devices.
New Zealand’s National Cyber Security Centre also warned that FIRESTARTER affects Cisco Firepower and Secure Firewall products running ASA or FTD software. Australia’s Cyber Security Centre issued similar guidance, citing new malware linked to exploitation of CVE-2025-20333 and CVE-2025-20362.
The warnings show that the threat is not only a patching issue. Security teams must also hunt for persistence and malware artifacts because compromised devices may remain dangerous even after software updates.
What defenders should look for
Cisco Talos recommends searching for FIRESTARTER artifacts, suspicious background processes, and temporary files created by the implant. BleepingComputer also reported that the malware can survive normal firewall updates and security patches because of how it persists on affected systems.
Administrators should not assume that patching alone removes an existing compromise. If a device shows signs of FIRESTARTER infection, teams should follow Cisco and CISA guidance for deeper remediation, including reimaging where required.
Recommended checks include:
- Search for suspicious FIRESTARTER-related processes.
- Look for unusual files in Cisco platform log paths.
- Review WebVPN traffic for abnormal request patterns.
- Apply Cisco’s fixed software releases for affected ASA and FTD versions.
- Follow CISA Emergency Directive 25-03 guidance.
- Reimage compromised devices where Cisco guidance recommends it.
- Perform a hard reboot when instructed as part of malware removal.
- Deploy Cisco Snort rules for exploitation and backdoor detection.
Snort rules and mitigation guidance
Cisco Talos said defenders can use Snort rules 65340 and 46897 to detect vulnerability exploitation, while rule 62949 can help detect FIRESTARTER backdoor activity.
CISA’s guidance also emphasizes forensic analysis and mitigation of potentially compromised Cisco devices. Federal agencies must follow the emergency directive, but private organizations should treat the same steps as urgent if they run exposed ASA, FTD, Firepower, or Secure Firewall infrastructure.
Organizations that rely on these devices for VPN, firewalling, or perimeter defense should prioritize them as critical assets. A compromised firewall can give attackers a durable position at the network edge, where they can observe traffic, bypass controls, and prepare follow-on activity.
Summary
- Cisco Talos says UAT-4356 is targeting Cisco Firepower devices with FIRESTARTER malware.
- The campaign abuses known Cisco ASA and FTD vulnerabilities, CVE-2025-20333 and CVE-2025-20362.
- FIRESTARTER runs inside the LINA process and can execute attacker shellcode through WebVPN request handling.
- The malware uses transient persistence that depends on graceful reboot behavior.
- Organizations should patch, hunt for FIRESTARTER artifacts, and reimage compromised devices where required.
FAQ
FIRESTARTER is a custom backdoor that targets Cisco ASA and FTD appliances. It runs inside the LINA process and allows attackers to execute code and maintain unauthorized access.
Cisco Talos attributes the activity to UAT-4356, an espionage-focused threat group previously linked to the ArcaneDoor campaign.
The campaign uses CVE-2025-20333 and CVE-2025-20362, both affecting Cisco Secure ASA Software and Cisco Secure Firewall Threat Defense Software.
Patching closes the exploited vulnerabilities, but it may not remove an existing FIRESTARTER infection. Cisco and CISA guidance should be followed for compromise assessment and remediation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages