Firestarter malware – Security agencies warn Firestarter persists on Cisco Firepower and Secure Firewall devices, keeping remote access even after updates. Here’s how to detect and remove it.
Cybersecurity agencies in the U.S. and U.K. are warning that a custom backdoor dubbed Firestarter is capable of surviving Cisco firewall updates—meaning “patched” networks may still have an active intruder.
The issue centers on Cisco Firepower and Secure Firewall systems running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD).. Misryoum notes the concern is not just the initial compromise.. The bigger risk is persistence: Firestarter is designed to stay on the device through reboots. firmware updates. and security patches. allowing an attacker to regain access later.
CISA and the U.K.. National Cyber Security Centre (NCSC) attribute Firestarter to a cyberespionage-focused threat actor tracked by Cisco Talos as UAT-4356.. Misryoum understands this group has been linked to earlier campaigns, including ArcaneDoor.. According to the agencies’ alert. initial access may have involved a missing authorization issue (CVE-2025-20333) and/or a buffer overflow flaw (CVE-2025-20362).
One incident described by CISA involved a federal civilian executive branch agency where the attacker first deployed Line Viper. a user-mode shellcode loader.. Then, after establishing access, the actor placed Firestarter to ensure continued entry.. CISA did not confirm the exact initial exploitation date. but assessed the compromise happened in early September 2025—before patches were applied under ED 25-03.. For defenders. that timing matters: it suggests gaps between exploitation and patching can allow malware to “bed in” deep enough to outlast remediation efforts.
Firestarter’s persistence is built into the platform’s behavior.. Misryoum notes the backdoor hooks into LINA. a core Cisco ASA process. and uses signal handlers that can trigger reinstallation routines.. In practice. the malware alters a boot or mount list file (CSP_MOUNT_LIST) so it can execute on startup. stores a copy in a Cisco logging-related path. and restores itself to a location where it can run in the background.. If an investigator terminates the wrong process at the wrong time, the implant may relaunch automatically.
The backdoor also supports remote control and payload execution.. The core function is remote access, with the ability to run shellcode supplied by the attacker.. Misryoum highlights the mechanism: Firestarter modifies an XML handler. injects shellcode into memory. and then triggers execution through a crafted WebVPN request.. After validating a hardcoded identifier, the device loads and executes attacker-controlled code directly in memory.. CISA did not share details on the specific payloads seen in the attacks. leaving defenders to focus on detection and containment rather than guessing what was executed.
What should administrators do?. Cisco published mitigations. workarounds. and indicators of compromise. and Misryoum sees a clear message in the vendor’s guidance: reimaging and upgrading the device to fixed releases is the safest path.. Cisco “strongly recommends reimaging,” and that advice applies whether a device is already compromised or only at risk.
For detection, CISA recommends a specific check: administrators can run ‘show kernel process | include lina_cs’.. If output appears, CISA instructs that the device should be treated as compromised.. Misryoum also flags Cisco’s alternative guidance: if reimaging is not possible. performing a cold restart by disconnecting device power can remove the malware—but it is not recommended because it carries the risk of database or disk corruption that could lead to boot issues.
Two additional defensive tools are available.. CISA shared YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump.. Misryoum interprets this as an effort to support both proactive forensics and incident-response workflows. especially in cases where full device reimaging is delayed.
The most unsettling part of the Firestarter case is the gap between patching and eradication.. If a threat can persist across firmware updates and security patches. then standard “update and move on” routines won’t close the loop.. For security teams. Misryoum recommends treating this as a resilience test for operational processes: ensure patching plans are paired with verification steps. tighten management-plane monitoring. and be ready to reimage quickly when persistence is suspected.