A dangerous backdoor called Firestarter malware is persisting on Cisco network security devices even after administrators apply security patches and reboot their systems. U.S. and British cybersecurity agencies issued a joint warning this week, revealing that the implant has been found on a federal government network and can outlast standard remediation efforts. For organizations that rely on Cisco firewalls to protect their infrastructure, the implications are severe.
What Is Firestarter Malware?
Firestarter is a custom-built backdoor targeting Cisco Firepower and Secure Firewall devices running either Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. It gives attackers remote access and control over compromised devices, and it was built to stay hidden long after defenders think they have cleaned up the infection.
The malware has been attributed to a threat actor tracked as UAT-4356, a cyberespionage group also linked to the ArcaneDoor campaign. That earlier campaign targeted Cisco networking gear using zero-day vulnerabilities to deliver surveillance-capable malware. Firestarter represents a continuation and escalation of that activity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) co-authored a malware analysis report confirming that Firestarter is part of a widespread campaign. Federal civilian agencies have been issued updated requirements under Emergency Directive 25-03.
How Attackers Get In
The attackers gain initial access by exploiting two now-patched vulnerabilities in Cisco’s ASA firmware. The first, CVE-2025-20333, is a critical flaw with a CVSS score of 9.9. It allows a remote attacker with valid VPN credentials to execute arbitrary code as root by sending crafted HTTP requests. The second, CVE-2025-20362, is a buffer overflow bug that enables unauthorized access to restricted endpoints.
Once inside, the attackers do not immediately deploy Firestarter. Instead, they first install a separate tool called Line Viper, a post-exploitation implant that functions as a shellcode loader. Line Viper lets attackers execute CLI commands, capture network packets, bypass VPN authentication, suppress log entries, and harvest credentials. It effectively hands attackers deep visibility into the device before Firestarter arrives to lock in their access.
Why Patching Does Not Remove It
This is the core problem with Firestarter malware. Cisco released patches for CVE-2025-20333 and CVE-2025-20362 in September 2025. Those patches addressed the entry points. But any device that was compromised before patching may still carry the implant, because Firestarter is not removed by firmware updates.
The malware achieves this by hooking into LINA, the core networking engine of Cisco’s ASA software. It intercepts termination signals, which triggers a reinstallation routine. So when a device receives a reboot command, Firestarter copies itself to a secondary location and rewrites the boot mount list to relaunch itself after startup. It also stores a copy of itself disguised as a log file. The backdoor then intercepts specific types of WebVPN traffic, waiting for a hidden trigger sequence from the attackers before executing code.
This approach means the malware survives reboots, firmware updates, and security patches. Standard incident response steps will not clear it.
A Federal Network Was Already Compromised
CISA identified Firestarter malware on a Cisco Firepower device running ASA software at an unnamed U.S. federal civilian agency. The infection dates to before September 25, 2025, and the attackers were still able to access the compromised device months later. CISA discovered the malware through continuous monitoring and initiated a forensic investigation after detecting suspicious network connections.
The incident shows that this is not a theoretical risk. A government network was silently compromised for an extended period, with attackers maintaining access despite the patching cycle that was supposed to close the door.
How to Detect and Remove Firestarter
Detection is difficult but not impossible. CISA has published two YARA rules that can identify the Firestarter implant when applied to a disk image or core dump from an affected device. Organizations can open a Cisco Technical Assistance Center case to obtain a disk image for analysis.
For removal, Cisco strongly recommends a full device reimaging and upgrade to the fixed firmware releases. Any configuration data on a compromised device should be treated as untrusted, since the attackers had root-level access. If reimaging is not immediately possible, a cold restart (physically unplugging the device) can temporarily remove the malware. Standard reboot commands, however, will not. CISA advises federal agencies not to take action without first consulting its team, to preserve forensic evidence.
Defenders should also inventory all network edge devices, monitor for suspicious connections, audit privileged accounts, and rotate passwords as part of the response.
Final Thoughts
Firestarter malware is a reminder that patching alone does not guarantee a clean system. When an attacker has enough time to install a persistent implant before defenders respond, the calculus changes entirely. Applying a firmware update addresses the vulnerability used to break in, but does nothing to evict malware that has already made itself at home.
For anyone running Cisco Firepower or Secure Firewall devices, the priority right now is detection. Use the CISA-provided YARA rules, review your device logs for anything unusual, and check your firmware versions against Cisco’s advisory. If you find signs of compromise, treat the device as fully untrusted and begin the reimaging process. A backdoored firewall is not a security control. It is an open door.
