top of page
perceptive_background_267k.jpg

FIRESTARTER Backdoor

Published:

23 April 2026 at 12:00:00

Alert date:

23 April 2026 at 16:01:31

Source:

cisa.gov

Click to open the original link from this advisory

Network Infrastructure, Ransomware & Malware, Critical Infrastructure

CISA analyzed FIRESTARTER malware, a backdoor used by APT actors for persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software. The malware exploits CVE-2025-20333 and CVE-2025-20362 to gain initial access and maintains persistence even after firmware updates and device reboots. FIRESTARTER installs hooks in LINA to execute arbitrary shell code and can survive patching efforts. Only a hard power cycle can remove the malware's persistence mechanism.

Technical details

Mitigation steps:

Affected products:

Cisco Firepower
Cisco Secure Firewall
Cisco ASA
Cisco FTD

Related links:

https://www.cisa.gov/news-events/analysis-reports/ar26-113a
https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
https://www.cve.org/CVERecord?id=CVE-2025-20333
https://www.cve.org/CVERecord?id=CVE-2025-20362
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
https://blog.talosintelligence.com/uat-4356-firestarter/
https://www.ncsc.gov.uk/sites/default/files/documents/ncsc-mar-rayinitiator-line-viper.pdf
https://attack.mitre.org/versions/v18/matrices/enterprise/
https://www.cisco.com/c/en/us/support/docs/instructions-guides/220312-open-a-tac-support-case-for-fast-dedica.html
https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis
https://report.ncsc.gov.uk/
https://www.cisa.gov/cybersecurity-performance-goals-2-0-cpg-2-0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://blogs.cisco.com/security/modernizing-tacacs-why-full-session-encryption-matters

Related CVE's:

Related threat actors:

IOC's:

/usr/bin/lina_cs, /opt/cisco/platform/logs/var/log/svc_samcore.log, /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page