CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network

CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.

CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests.

“The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow].” reads the report published by CISA.

CISA and the NCSC warn that FIRESTARTER can persist on Cisco ASA or Firepower Threat Defense systems even after patching, allowing attackers to regain access without re-exploiting vulnerabilities. U.S. federal agencies must follow CISA Emergency Directive 25-03. Organizations are urged to use provided YARA rules to detect the malware in disk images or core dumps and report any findings to CISA or the NCSC.

CISA detected suspicious activity on a U.S. federal Cisco Firepower ASA device through continuous monitoring. After validation and forensic analysis, it found a malware sample named FIRESTARTER. Attackers had initially used LINE VIPER for post-exploitation, then deployed FIRESTARTER to maintain persistence.

“In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device.” continues the alert. “Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.”

FIRESTARTER is a Linux ELF malware targeting Cisco Firepower and Secure Firewall devices, acting as a command-and-control backdoor for remote access. It maintains persistence by intercepting termination signals and automatically relaunching, allowing it to survive reboots and even firmware updates unless a full power cycle is performed.

The malware embeds itself in the LINA network processing engine by installing a hook that intercepts normal XML handling functions. This enables execution of attacker-supplied shellcode and deployment of additional payloads like LINE VIPER.

“FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions.” states CISA. “This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.”

Upon execution, FIRESTARTER loads itself from disk into memory, registers handlers for multiple termination signals, and performs cleanup and self-reinstallation routines. It manipulates system files to restore modified components, deletes traces, and re-establishes itself under a new persistent path.

For persistence, it writes itself into reboot-persistent log locations and recreates missing configuration files used for execution. It then appends scripts that move the malware binary into system directories, makes it executable, and runs it in the background while suppressing errors.

The malware also scans LINA memory to locate key structures, injects shellcode into shared libraries like libstdc++, and installs detours for XML handlers. It only activates payload execution after verifying victim-specific identifiers embedded in WebVPN traffic, ensuring targeted deployment.

CISA and the NCSC urge organizations to follow baseline cybersecurity practices aligned with CPG 2.0, including rapid patching of known vulnerabilities, though current fixes may not remove FIRESTARTER persistence. They recommend inventorying network edge devices, especially Cisco systems, and monitoring for suspicious activity. Organizations should audit privileged accounts, enforce least privilege, rotate passwords regularly, and modernize access controls using secure protocols like TACACS+ over TLS 1.3 to reduce credential exposure and improve detection.

“We recommend that Cisco customers follow the steps recommended in Cisco’s advisory, with particular attention to any applicable software upgrade recommendations. Organizations impacted can initiate a TAC request for Cisco support.” reads the report published by Cisco Talos. “A FIRESTARTER infection may be mitigated on all affected devices by reimaging the devices. On Cisco FTD software that is not in lockdown mode, there is also the option of killing the lina_cs process then reloading the device:”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FIRESTARTER backdoor)