FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

CISA revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance software was compromised in September 2025 with malware called FIRESTARTER. The backdoor was deployed as part of a widespread campaign orchestrated by an advanced persistent threat actor to obtain access to Cisco ASA firmware by exploiting now-patched security flaws CVE-2025-20333 and CVE-2025-20362.

FIRESTARTER is a Linux ELF binary that lodges itself into the device boot sequence by manipulating a startup mount list, allowing it to survive firmware updates and device reboots unless a hard power cycle occurs. It installs a hook within LINA, the device core network processing engine, enabling the execution of arbitrary shellcode. A post-exploitation toolkit called LINE VIPER was also found, capable of executing CLI commands, performing packet captures, bypassing VPN Authentication, Authorization, and Accounting for actor devices, suppressing syslog messages, harvesting user CLI commands, and forcing a delayed reboot.

The exact origins of the threat activity are not fully known, though an analysis from Censys in May 2024 suggested links to China. Cisco tracks the exploitation activity under UAT4356, also known as Storm-1849. The disclosure comes alongside a joint advisory about China-nexus threat actors using compromised SOHO router and IoT botnets to disguise espionage attacks, with groups like Volt Typhoon and Flax Typhoon implicated.

This incident highlights a critical gap in network perimeter defence – patches alone cannot remediate devices that were compromised before patching. Agencies are now recommending full device reimaging rather than simple patching or rebooting. The fact that a federal device remained compromised for months after patches were available underscores the persistence of modern APTs and the need for regular hardware verification and cold restart protocols.

Click here for the original article.