"FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.'s National Cyber Security Centre (NCSC) warned.
What CISA and NCSC revealed about the federal compromise
CISA disclosed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware the agencies call FIRESTARTER. The agencies and Cisco characterize FIRESTARTER as a backdoor designed to provide remote access and control and say it was deployed as part of a "widespread" campaign by an advanced persistent threat (APT) actor to obtain access to ASA firmware.
How FIRESTARTER and the LINE VIPER toolkit operate
According to the advisory, FIRESTARTER is a Linux ELF binary that embeds itself in a device's boot sequence by manipulating the startup mount list; this lets the implant reactivate after normal reboots and survive firmware updates unless a hard power cycle is performed. The implant attempts to install a hook inside LINA — the device’s core engine for network processing and security functions — enabling execution of arbitrary shell code supplied by the APT actors.
CISA and the NCSC report that the threat actors also deployed a post-exploitation toolkit named LINE VIPER. That toolkit can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot. The agencies said LINE VIPER provided elevated access that served as a conduit for FIRESTARTER, which was present on the Firepower device before September 25, 2025 and allowed actors to return to the appliance "as recently as last month."
Exploited vulnerabilities, vendor tracking, and remediation advice
The intrusion was tied to exploitation of now-patched ASA vulnerabilities, including CVE-2025-20333 (CVSS 9.9) — an improper validation flaw that could allow an authenticated remote attacker with valid VPN credentials to execute arbitrary code as root via crafted HTTP requests — and CVE-2025-20362 (CVSS 6.5) — an improper validation flaw that could let an unauthenticated remote attacker access restricted URL endpoints via crafted HTTP requests. Cisco tracks the exploitation activity under the designation UAT4356 (aka Storm-1849).
Cisco described FIRESTARTER as a backdoor that facilitates execution of arbitrary shellcode by the LINA process after parsing specially crafted WebVPN authentication requests containing a "magic packet." Cisco recommends that, in cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, "all configuration elements of the device should be considered untrusted" and that customers reimage and upgrade the device to fully remove the persistence mechanism.
As an interim mitigation, Cisco advised a cold restart — physically removing and restoring power — because the shutdown, reboot, and reload CLI commands will not clear the implant.
Links to earlier campaigns and the broader operational picture
Cisco noted overlap between FIRESTARTER and a previously documented bootkit called RayInitiator. Censys, an attack surface management platform, published analysis in May 2024 that suggested links to China for related activity; the initial UAT4356 activity was first attributed to a campaign named ArcaneDoor that used zero-day flaws in Cisco gear to deliver bespoke malware for traffic capture and reconnaissance.
What this means for federal agencies, security teams, and SOHO/IoT operators
- Federal civilian agencies: Treat configurations and credentials on compromised ASA/FTD devices as untrusted, follow Cisco's guidance to reimage and upgrade affected devices, and prioritize physical power-cycling where immediate reimaging is not possible, per CISA and Cisco.
- Security and network operations teams: Recognize that firmware updates alone may not remove persistence — the agencies say FIRESTARTER can survive updates and normal reboots — and investigate for post-exploitation tooling such as LINE VIPER that can harvest CLI commands, suppress logs, and bypass VPN AAA.
- Operators of SOHO routers and IoT devices: The joint advisory accompanying this disclosure highlights that China-nexus actors have been building large covert networks of compromised home routers, cameras, and recorders to anonymize and route espionage traffic; those devices can be used as traversal or exit nodes and continually refreshed, complicating static IP-blocking and attribution.
The central technical fact is stark: patching addresses the exploited CVEs, but according to CISA, the NCSC and Cisco, patched devices compromised before remediation can remain backdoored until reimaging or a cold power cycle removes the implant. The advisory also reinforces an operational lesson visible across the campaign: attackers are combining zero-day and known-exploit initial access with resilient boot-time persistence and post-exploitation toolkits to regain and retain presence even after patches are applied.
