top of page
perceptive_background_267k.jpg

Firestarter malware survives Cisco firewall updates, security patches

Published:

24 april 2026 om 20:34:08

Alert date:

24 april 2026 om 21:02:15

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Ransomware & Malware

Cybersecurity agencies in the U.S. and U.K. are warning about Firestarter malware persisting on Cisco Firepower and Secure Firewall devices. The custom malware survives firewall updates and security patches on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. This represents a significant threat to network infrastructure as the malware maintains persistence even through security updates.

Technical details

Firestarter is a custom malware backdoor that persists on Cisco Firepower and Secure Firewall devices running ASA or FTD software. The backdoor maintains persistence across reboots, firmware updates, and security patches by hooking into LINA (the core Cisco ASA process) and using signal handlers that trigger reinstallation routines. It modifies the CSP_MOUNT_LIST boot/mount file, stores itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores to /usr/bin/lina_cs. The malware acts as a backdoor for remote access and can execute attacker-provided shellcode through specially crafted WebVPN requests after validating a hardcoded identifier.

Mitigation steps:

Run 'show kernel process | include lina_cs' command to check for compromise - any output indicates compromise. Cisco strongly recommends reimaging and upgrading the device using fixed releases. If reimaging is not possible, perform a cold restart (disconnect device power) but this carries risk of database or disk corruption. Apply YARA rules provided by CISA to detect the backdoor in disk images or core dumps. Implement patches for CVE-2025-20333 and CVE-2025-20362.

Affected products:

Cisco Firepower devices
Cisco Secure Firewall devices running Adaptive Security Appliance (ASA)
Cisco Secure Firewall devices running Firepower Threat Defense (FTD)

Related links:

https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/
https://www.cisa.gov/news-events/analysis-reports/ar26-113a
http://www.cisa.gov/sites/default/files/2026-04/AR26-113A_MAR_FIRESTARTER_backdoor.pdf
https://blog.talosintelligence.com/uat-4356-firestarter/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Continued%20Evolution%20of%20Persistence%20Mechanism%20Against%20Cisco%20Secure%20Firewall%20Adaptive%20Security%20Appliance%20and%20Secure%20Firewall%20Threat%20Defense%26vs_k=1
https://www.cisa.gov/news-events/analysis-reports/ar26-113a#table1

Related CVE's:

Related threat actors:

IOC's:

Process name: lina_cs, File path: /opt/cisco/platform/logs/var/log/svc_samcore.log, File path: /usr/bin/lina_cs, Modified file: CSP_MOUNT_LIST boot/mount file

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page