The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that a Cisco Firepower appliance running Adaptive Security Appliance (ASA) software within a U.S. federal civilian agency was compromised in September 2025 through the deployment of a stealthy backdoor known as FIRESTARTER. Notably, the malware was able to survive subsequent remediation attempts, remaining active even after the affected device was patched highlighting its robustness and resistance to traditional detection and cleanup measures.
FIRESTARTER is a malicious backdoor jointly identified by CISA and the United Kingdom’s National Cyber Security Centre (NCSC). It is designed to provide attackers with persistent remote access and control and is believed to be part of a broader advanced persistent threat (APT) operation focused on Cisco ASA and Firepower Threat Defense (FTD) devices deployed at network perimeters. The malware exploits multiple security flaws that have since been patched, including CVE-2025-20333, which enabled remote code execution using stolen or abused VPN credentials, and CVE-2025-20362, which allowed unauthenticated attackers to access restricted functionality through specially crafted HTTP requests.
In an official report, CISA explained that it conducted a forensic analysis of a FIRESTARTER malware specimen recovered during an investigation. Both CISA and the UK NCSC assessed that FIRESTARTER was used as part of a widespread intrusion campaign that enabled APT actors to gain initial access to Cisco ASA firmware by exploiting the aforementioned vulnerabilities. The flaws include issues related to missing authorization controls (CWE-862) and a classic buffer overflow condition (CWE-120), both of which allowed attackers to execute malicious code at a privileged level.
The agencies further warned that FIRESTARTER presents a particularly severe risk because it can remain embedded within Cisco ASA and Firepower Threat Defense systems even after firmware updates and vulnerability patches are applied. This persistence enables attackers to reestablish access without needing to re-exploit the original vulnerabilities, effectively bypassing standard incident response workflows. As a result, U.S. federal agencies are required to comply with CISA Emergency Directive 25‑03, and organizations are strongly encouraged to deploy the YARA detection rules provided by CISA to scan disk images and memory dumps for indicators of compromise. Any confirmed detections should be promptly reported to either CISA or the NCSC.
The compromise was initially identified through CISA’s continuous monitoring capabilities, which detected suspicious activity on a Cisco Firepower ASA appliance operating within a federal network. Subsequent validation and in-depth forensic investigation led to the discovery of the FIRESTARTER backdoor. Analysis revealed that the attackers initially deployed a different post-exploitation implant, known as LINE VIPER, before transitioning to FIRESTARTER to establish long-term persistence on the device.
According to the advisory, threat actors used LINE VIPER during the early stages of post-compromise activity and later installed FIRESTARTER as a durable persistence mechanism. While Cisco’s security updates successfully address CVE-2025-20333 and CVE-2025-20362, systems that were compromised prior to patching may remain infected because FIRESTARTER is not removed through routine firmware upgrades alone.
Technically, FIRESTARTER is a Linux-based ELF binary specifically crafted to target Cisco Firepower and Secure Firewall platforms. It functions as a command-and-control backdoor, granting adversaries continuous remote access to compromised devices. The malware maintains its foothold by intercepting operating system termination signals and automatically relaunching itself, allowing it to survive reboots and software updates. In many cases, only a full power cycle combined with reimaging can fully eradicate the infection.
One of FIRESTARTER’s most sophisticated features is its deep integration into the LINA (Layered Interactive Network Application) engine, which is the core processing component responsible for network traffic handling and enforcement of security policies on Cisco ASA devices. The malware installs hooks within LINA that intercept normal XML processing functions, enabling the execution of attacker-controlled shellcode and facilitating the delivery of additional malicious payloads, including LINE VIPER.
CISA explained that FIRESTARTER attempts to install these hooks as a means of modifying standard operational behavior. By doing so, the malware grants the attackers the ability to execute arbitrary shellcode within trusted processes, significantly complicating detection efforts and enabling advanced post-exploitation activities.
Upon execution, FIRESTARTER loads itself from disk into memory, registers handlers for a variety of termination signals, and initiates extensive cleanup and self-repair routines. It alters system files to restore modified components, removes forensic artifacts, and reinstalls itself under new or obscure file paths to evade signature-based detection.
To ensure persistence across reboots, the malware writes itself into log directories that are preserved during restarts and recreates configuration files required for execution if they are deleted. It also appends shell scripts that move the malware binary into critical system directories, modify file permissions to ensure executability, and launch the backdoor in the background while suppressing error messages and logs.
Additionally, FIRESTARTER scans the memory of the LINA process to locate key data structures, injects shellcode into shared libraries such as libstdc++, and installs detours to intercept XML handlers. Importantly, the malware only activates its payload execution routines after confirming victim-specific identifiers embedded in WebVPN traffic, ensuring that its capabilities are triggered exclusively on intended targets.
In response to the threat, CISA and the NCSC strongly recommend that organizations adhere to baseline cybersecurity practices aligned with Cross-Sector Cybersecurity Performance Goals (CPG) 2.0. While timely patching remains essential, current fixes alone may not eliminate FIRESTARTER persistence. Organizations are advised to maintain accurate inventories of all network edge devices particularly Cisco security appliances and actively monitor them for anomalous behavior.
Additional defensive measures include auditing privileged accounts, enforcing the principle of least privilege, rotating credentials on a regular basis, and modernizing administrative access controls. The agencies specifically recommend adopting secure authentication and authorization mechanisms such as TACACS+ over TLS 1.3, which can reduce credential exposure and improve visibility into administrative activity.
Cisco Talos echoed these recommendations in its own advisory, urging customers to follow Cisco’s remediation guidance and apply all relevant software updates. Impacted organizations are encouraged to open a Technical Assistance Center (TAC) case with Cisco for support. According to Cisco, a confirmed FIRESTARTER infection can be effectively mitigated by fully reimaging affected devices. On Cisco FTD deployments that are not operating in lockdown mode, it may also be possible to terminate the lina_cs process and reload the device as part of the remediation process.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
