Joint Warning From CISA and NCSC
Cybersecurity authorities in the United States and United Kingdom have issued a joint warning about a custom malware strain named Firestarter that is actively targeting Cisco network appliances. Specifically, the threat affects devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software on Cisco Firepower and Secure Firewall hardware.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) attribute the campaign to a threat actor that Cisco Talos tracks internally as UAT-4356. This group has a documented history of cyberespionage activity, including the previously disclosed ArcaneDoor campaign.
Initial Access: Two Vulnerabilities Under Exploitation
According to CISA and NCSC, the adversary gained initial footholds by exploiting one or both of the following vulnerabilities:
- CVE-2025-20333 — a missing authorization issue
- CVE-2025-20362 — a buffer overflow bug
In at least one confirmed intrusion targeting a federal civilian executive branch agency, CISA observed a two-stage infection chain. The threat actor first deployed a user-mode shellcode loader called Line Viper, followed by the Firestarter backdoor, which ensures continued access even after the victim applies security patches.
CISA noted in its alert: "CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03."
What Line Viper Does First
Before Firestarter is deployed, Line Viper plays a critical preparatory role. The malware establishes VPN sessions on compromised Firepower devices and harvests sensitive configuration data, including:
- Administrative credentials
- Certificates
- Private keys
Once Line Viper completes its reconnaissance and credential-theft functions, the attackers drop an ELF binary for the Firestarter backdoor, which then assumes responsibility for persistent access.
Firestarter's Persistence Mechanism Explained
What makes Firestarter particularly dangerous is its resilience. Once installed, the backdoor maintains persistence across device reboots, firmware updates, and security patches. Even if the process is forcibly terminated, it relaunches automatically.
This staying power is achieved by hooking deeply into LINA, the core Cisco ASA process. Signal handlers embedded in the malware trigger reinstallation routines whenever the backdoor detects that it has been shut down — including during what Cisco Talos describes as a graceful reboot initiated by a process termination signal.
A joint malware analysis report from CISA and NCSC details the specific technical steps Firestarter takes to entrench itself:
- It modifies the CSP_MOUNT_LIST boot/mount file to guarantee execution at startup.
- It stores a copy of itself at /opt/cisco/platform/logs/var/log/svc_samcore.log.
- It restores that copy to /usr/bin/lina_cs, where it runs silently in the background.
Cisco Talos published its own analysis confirming that these persistence routines are activated the moment the backdoor receives a process termination signal.
Remote Code Execution via Crafted WebVPN Requests
Beyond persistence, Firestarter functions as a fully capable remote access backdoor that can also execute attacker-supplied shellcode. The mechanism works as follows:
- Firestarter hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path.
- This shellcode is triggered by a specially crafted WebVPN request.
- After validating a hardcoded identifier within that request, the malware loads and executes attacker-provided payloads directly in memory.
CISA has not disclosed details about the specific payloads observed in real-world attacks leveraging this mechanism.
Cisco's Recommended Mitigations
Cisco has published a security advisory addressing Firestarter that includes mitigations, workarounds for removing the persistence mechanism, and indicators of compromise to help administrators identify infected devices.
The vendor strongly recommends reimaging and upgrading the device using the fixed releases, a recommendation that applies to both confirmed and potentially compromised devices.
How to Check for Compromise
Administrators can determine whether a device has been affected by running the following command:
show kernel process | include lina_cs
Any output returned by this command should be treated as a sign of compromise.
If Reimaging Is Not Immediately Possible
Cisco acknowledges that reimaging may not always be immediately feasible. In such cases, a cold restart — physically disconnecting the device from power — can remove the malware from memory. However, Cisco explicitly warns against this approach as a long-term solution, noting it carries a risk of database or disk corruption that can cause boot failures.
YARA Rules and Detection Support
CISA has also shared two YARA rules that can detect the Firestarter backdoor. These rules are designed to be applied to a disk image or a core dump taken from a potentially compromised device, giving defenders a forensic-grade detection option without requiring a live analysis of the running system.
Broader Implications
The Firestarter campaign underscores a growing trend of sophisticated threat actors targeting network infrastructure devices — particularly perimeter appliances like firewalls — where implants can survive standard IT hygiene measures such as patching and rebooting. The attribution to UAT-4356, a group already tied to the ArcaneDoor espionage campaign, suggests a well-resourced adversary with a sustained interest in persistent access to high-value government and enterprise networks.
Organizations running Cisco Firepower or Secure Firewall devices are strongly urged to consult Cisco's security advisory, apply the fixed software releases, and use CISA's published YARA rules to audit their environments as soon as possible.
Source: BleepingComputer