The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that Cisco Firepower devices at an unnamed federal civilian agency running Adaptive Security Appliance (ASA) software were compromised by malware known as FIRESTARTER in September 2025.
According to CISA and the UK National Cyber Security Center (NCSC), FIRESTARTER has been assessed as a backdoor designed for remote access and control. This attack is believed to be part of a “widespread” campaign orchestrated by advanced persistent threat (APT) attackers to gain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting currently patched security flaws, including:
CVE-2025-20333 (CVSS Score: 9.9) – Improper validation of user-supplied input vulnerabilities could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending a crafted HTTP request. CVE-2025-20362 (CVSS Score: 6.5) – Improper validation of user-supplied input vulnerabilities allows an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending a crafted HTTP request.
“FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining persistence after patching and allowing threat actors to regain access to compromised devices without re-exploiting vulnerabilities,” the agency said.
In the incidents investigated, the attacker was found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN authentication, authorization, and accounting (AAA) on the attacker device, suppress syslog messages, collect user CLI commands, and force a delayed restart.
The elevated access provided by LINE VIPER served as a conduit to FIRESTARTER deployed on Firepower devices prior to September 25, 2025, allowing attackers to maintain continued access and return to appliances that were compromised as recently as last month.
FIRESTARTER, a Linux ELF binary, sets persistence on the device and survives firmware updates and device reboots unless a hard power cycle occurs. The malware infiltrates the device’s boot sequence by manipulating the boot mount list so that it is automatically reactivated each time the device reboots normally. Resiliency aside, there is also some overlap with a previously documented bootkit called RayInitiator.
According to the advisory, “FIRESTARTER attempts to install hooks within LINA, the device’s core engine for network processing and security functions, a way to intercept and modify normal operations.” “This hook allows execution of arbitrary shell code provided by the APT actor, including deployment of LINE VIPER.”
“Cisco’s patch addressed CVE-2025-20333 and CVE-2025-20362, but devices that were compromised before the patch was applied may remain vulnerable because the firmware update does not remove FIRESTARTER.”
Cisco, which is tracking exploit activity related to two vulnerabilities named UAT4356 (also known as Storm-1849), describes FIRESTARTER as a backdoor that facilitates the execution of arbitrary shellcode received by LINA processes by parsing specially crafted WebVPN authentication requests containing “magic packets.”
The exact origins of the threat activity are unknown, but a May 2024 analysis by attack surface management platform Censys suggests a link to China. UAT4356 was initially attributed to a campaign called ArcaneDoor that exploited two zero-day flaws in Cisco networking equipment to distribute custom malware that could capture and spy on network traffic.
“To completely remove the persistence mechanism, we strongly recommend reimaging and upgrading the device,” Cisco said. “If a compromise is confirmed on a Cisco Secure ASA or FTD platform, all components of the device should be considered untrusted.”
As a mitigation measure until a reimage is performed, the company recommends customers perform a cold reboot to remove the FIRESTARTER implant. “Shutdown, restart, and reload CLI commands will not erase persistent malicious implants; you will need to unplug the power cord and plug it back in from the device,” it added.
Chinese hackers move from individually procured infrastructure to secret networks
The disclosure comes as the United States, United Kingdom, and various international partners issued a joint advisory regarding a large network of SOHO routers and IoT devices that were compromised by Chinese-aligned threat actors to conceal the spying attack and complicate efforts to pinpoint the cause.
State-backed groups such as Bolt Typhoon and Flux Typhoon are using these botnets, which consist of home routers, surveillance cameras, video recorders, and other IoT devices, to target critical infrastructure sectors and conduct cyber espionage in a “low-cost, low-risk, and deniable manner,” according to the alert.
Further complicating the problem is the fact that networks are constantly being updated. Not to mention, multiple China-related threat groups can use the same botnet at the same time, making it difficult for defenders to identify and block them using static IP blocklists.
“While most of the covert network consists of compromised SOHO routers, it also draws in vulnerable devices that can be exploited at scale,” the agency said. “Their traffic is routed through multiple compromised devices used as traversal nodes before exiting the network from an exit node, typically located in the same geographic area as the target.”
The findings highlight common patterns seen in state-sponsored attacks. That is, they target network perimeter devices belonging to residential, corporate, and government networks, with the goal of turning them into proxy nodes or intercepting sensitive data and communications.
Source link
