top of page
perceptive_background_267k.jpg

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

Published:

24 april 2026 om 17:06:00

Alert date:

24 april 2026 om 18:03:40

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Ransomware & Malware, Critical Infrastructure

CISA revealed that a federal civilian agency's Cisco Firepower device running ASA software was compromised in September 2025 with the FIRESTARTER backdoor malware. The backdoor is designed for remote access and was assessed by CISA and the UK's NCSC. The compromise affected critical network infrastructure at a federal agency, representing a significant security incident involving persistence through security patches.

Technical details

FIRESTARTER is a Linux ELF binary backdoor that targets Cisco Firepower devices running ASA or FTD software. It can persist through firmware updates and device reboots unless a hard power cycle occurs. The malware integrates into the device's boot sequence by manipulating a startup mount list and attempts to install hooks within LINA (the device's core engine) to enable execution of arbitrary shell code. It works in conjunction with LINE VIPER post-exploitation toolkit which can execute CLI commands, perform packet captures, bypass VPN AAA for actor devices, suppress syslog messages, harvest user CLI commands, and force delayed reboots. FIRESTARTER parses specially crafted WebVPN authentication requests containing magic packets to receive shellcode.

Mitigation steps:

Reimage and upgrade affected devices to fully remove persistence mechanism
Consider all configuration elements of compromised devices as untrusted
Perform cold restart (power cord pull) to remove FIRESTARTER implant - shutdown/reboot/reload CLI commands are insufficient
Apply security patches for CVE-2025-20333 and CVE-2025-20362
Monitor for specially crafted WebVPN authentication requests
Check for unauthorized CLI command execution and packet captures
Verify VPN AAA bypass attempts
Monitor syslog message suppression

Affected products:

Cisco Firepower devices running Adaptive Security Appliance (ASA) software
Cisco Adaptive Security Appliance (ASA) firmware
Cisco Firepower Threat Defense (FTD) software
Cisco Secure ASA platforms
Cisco FTD platforms

Related links:

https://www.cisa.gov/news-events/analysis-reports/ar26-113a
https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html
https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html
https://blog.talosintelligence.com/uat-4356-firestarter/
https://thehackernews.com/2024/04/state-sponsored-hackers-exploit-two.html
https://thehackernews.com/2024/05/china-linked-hackers-suspected-in.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a
https://thehackernews.com/2024/02/after-fbi-takedown-kv-botnet-operators.html
https://thehackernews.com/2024/09/new-raptor-train-iot-botnet-compromises.html

Related CVE's:

Related threat actors:

IOC's:

FIRESTARTER malware (Linux ELF binary), LINE VIPER post-exploitation toolkit, RayInitiator bootkit (related malware), Specially crafted WebVPN authentication requests containing magic packets, Hooks installed within LINA process

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page