Firestarter malware survives Cisco firewall updates, security patches

Source: Bleeping Computer

Overview

Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

The backdoor has been attributed to a threat actor that Cisco Talos tracks internally as UAT‑4356, known for cyber‑espionage campaigns, including ArcaneDoor.

Exploitation Vector

• Initial access is believed to be gained by exploiting:
  • A missing authorization issue (CVE‑2025‑20333)
  • A buffer overflow bug (CVE‑2025‑20362)

In one incident at a federal civilian executive branch agency, CISA observed the threat actor first deploying the Line Viper malware (a user‑mode shellcode loader) and then using Firestarter to maintain access even after patching.

“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25‑03,” – CISA alert.

Line Viper establishes VPN sessions and extracts configuration details, including administrative credentials, certificates, and private keys from compromised Firepower devices. The ELF binary for the Firestarter backdoor is then deployed for persistence.

Persistence Mechanism

Firestarter maintains persistence across:

• Reboots
• Firmware updates
• Security patches
• Termination of the backdoor process (it relaunches automatically)

Technical Details

• Hooks into LINA, the core Cisco ASA process, using signal handlers that trigger re‑installation routines.
• Modifies the CSP_MOUNT_LIST boot/mount file to ensure execution on startup.
• Stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log and restores it to /usr/bin/lina_cs, where it runs in the background.
• Persistence is triggered when a process termination signal (graceful reboot) is received.

The backdoor also injects attacker‑provided shellcode into memory via a specially crafted WebVPN request that validates a hard‑coded identifier before executing the payload.

Persistence mechanism – Source: Cisco

Example Command for Detection

show kernel process | include lina_cs

If any output is returned, the device should be considered compromised.

Mitigations & Recommendations

Cisco’s security advisory provides mitigations, workarounds, and indicators of compromise:

• Reimage and upgrade the device using the fixed releases (strongly recommended for both compromised and non‑compromised devices).
• If re‑imaging is not possible, a cold restart (power cycle) can remove the malware, though this carries a risk of database or disk corruption and is not recommended.
• Run the detection command above to verify compromise.

Cisco security advisory

Detection Rules

CISA has published two YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump from a device:

• YARA rules (CISA report AR26‑113A)