"Only a hard reboot — physically disconnecting the device from its power supply — is sufficient to clear the persistence mechanism from memory," according to both CISA and Cisco.
Firestarter: a backdoor that survives patches and reboots
U.S. and U.K. cybersecurity authorities jointly disclosed a custom implant, code‑named Firestarter, that can persist on Cisco network security devices even after organizations apply published fixes and perform routine software reboots. The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) published a malware analysis describing how Firestarter manipulates device boot configuration so the implant is restored and relaunched after normal restarts.
How the implant works inside Cisco appliances
According to the joint advisory and Cisco’s Talos group, Firestarter copies itself to a secondary location and rewrites the Cisco Service Platform mount list—a configuration file that governs programs executed during the boot sequence—when a termination signal or reboot occurs. The malware then injects malicious shellcode into LINA, the core networking and firewalling code used by Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. Embedded in LINA, Firestarter intercepts a particular VPN‑authentication‑style network request; a hidden trigger sequence in that request causes the device to execute code supplied by the attackers, opening a persistent backdoor.
CVE‑2025‑20333 and CVE‑2025‑20362: the exploit chain and timeline
CISA says the attackers initially exploited two vulnerabilities addressed in Cisco patches released in September 2025—CVE‑2025‑20333, a remote code execution flaw in the VPN web server component, and CVE‑2025‑20362, an unauthorized access vulnerability—to gain entry. In the federal civilian agency incident the agency analyzed, the attackers first deployed an implant called Line Viper to harvest configurations, credentials, and encryption keys, then installed Firestarter prior to the September 2025 patches being applied to those devices. After the agency patched its systems, Firestarter persisted and was used to redeploy Line Viper in March, nearly six months after the initial breach.
CISA emergency directive, Cisco guidance, and scope of affected hardware
The finding prompted an updated emergency directive issued Thursday requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday. CISA also acknowledged active exploitation of the underlying vulnerabilities was ongoing at the time of publication. Cisco has released updated software addressing the persistence mechanism but strongly recommends reimaging affected devices rather than relying solely on software updates when compromise is suspected. The persistence technique affects a broad range of Cisco hardware, including the Firepower 1000, 2100, 4100, and 9300 series, and the Secure Firewall 1200, 3100, and 4200 series. Cisco’s threat intelligence unit, Talos, attributed Firestarter to a threat actor it tracks as UAT‑4356.
What this means for technologists, policymakers, and federal civilian agencies
- Technologists and security teams: Expect to treat software updates as necessary but not sufficient when intrusions are suspected; where compromise cannot be ruled out, Cisco and CISA recommend reimaging and, in practical terms, physical power‑cycle procedures to clear memory-resident implants. Continuous network monitoring remains critical—CISA discovered Firestarter after identifying suspicious connections through such monitoring.
- Policymakers and regulators: The emergency directive demonstrates a requirement for rapid, centralized incident triage and evidence collection; agencies will need clear timelines and capacity to gather memory snapshots and coordinate with vendors for reimaging or device replacement.
- Federal civilian agencies and affected enterprises: Devices patched before compromise may still be infected; agencies must audit device inventories across the listed Firepower and Secure Firewall models, submit snapshots as directed, and consider reimaging or hardware replacement where indicators of compromise are found.
Ties to prior campaigns deepen the operational concern. Talos linked Firestarter to UAT‑4356 and noted technical similarities to a previously documented implant called RayInitiator, while Censys researchers previously reported evidence indicating a threat group based in China was behind an earlier 2024 espionage campaign, ArcaneDoor, which focused on compromising perimeter devices. Both lines of analysis point to a pattern: attackers targeting the network edge to intercept credentials and internal traffic, then using implants that survive routine remediation.
The immediate choices facing defenders are concrete. Agencies must audit, snapshot, and—where compromise is suspected—reimage or physically power‑cycle affected devices. Vendors and operators must coordinate to validate eradication. And investigators will need to determine how widespread redeployments like the March Line Viper reinstallation have been across other networks.
Original reporting: https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/
