New Cisco firewall malware can only be killed by pulling the plug
Suspected state-sponsored attackers are using a custom backdoor to persistently compromise Cisco security devices (firewalls), the US CISA and the UK National Cyber Security Centre warned on Thusday.
“The [Firestarter] malware (…) is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software,” the Cybersecurity and Infrastructure Security Agency noted.
CISA also shared threat hunting rules US federal civilian agencies should use to search for evidence of the malware on their own systems.
The malware’s persistence mechanism
The two agencies posit that the attackers – tracked as UAT-4356 by Cisco Talos – are gaining initial access to internet-facing, vulnerable devices by exploiting CVE-2025-20333 and/or CVE-2025-20362.
Cisco patched those in late September 2025, when these attacks were initially discovered.
The threat actors then deployed the Line Viper post-exploitation implant to establish VPN sessions that bypassed all VPN authentication policies, and finally implanted the Firestarter backdoor to achieve persistence.
Cisco Talos researchers say that Firestarter embeds itself into the device’s boot sequence by manipulating a startup configuration list, ensuring it automatically reactivates every time the device restarts normally.
It then lays dormant until triggered by a “magic packet” sent by attackers via a specially crafted WebVPN authentication request. When the secret sequence of prefix bytes are recognized, the implant executes whatever shellcode follows them directly in memory.
The result is an on-demand execution channel that is exceptionally difficult to detect without deep memory forensics or packet-level inspection.
Firestarter is eminently resilient because each time the device is “gracefully” shut down or rebooted, the malware uses that window to back itself up and rewrite the startup instructions before the device goes offline.
The one way to fully remove the implant is a hard power cycle, meaning the device must be physically unplugged from power rather than restarted through software. Cutting power abruptly prevents the malware from executing its survival routine, the researchers explained.
Finding Firestarter
“CISA and the NCSC assess that Firestarter can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities,” CISA noted, and ordered US federal civilian agencies to:
- Identify all public-facing Cisco ASA platforms they manage
- Collect those devices’ artifacts and core dumps
- Submit the core dumps to CISA’s Malware Next Generation (MNG) platform
- Apply the patches for CVE-2025-20333 and CVE-2025-20362
- Conduct further threat hunting, if neccessary
“U.S. FCEB agencies should not take further action without first consulting CISA. To preserve evidence, avoid any hard power cycles and other changes (e.g., reboots, patching, configuration changes) before collection and coordination, as these can affect volatile artifacts,” CISA advised.
According to Cisco, the only known indication of compromise for Firestarter’s presence is the presence of a malicious process called lina_cs. The presence of additional files on disk – /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log – might also point to Firestarter’s presence, though attackers can easily modify these files’ names.
“A cold restart will remove the malicious persistent implant,” the company says, but nevertheless “strongly recommends” reimaging and upgrading the device to a fixed software release.
Cisco Talos attributed the Firestarter malware to UAT-4356, a group that’s previously been linked to the 2024 ArcaneDoor campaign, which involved the compromise of Cisco ASA devices via two zero-days.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!