FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

Summary

A new Linux ELF-based backdoor named FIRESTARTER has been identified targeting Cisco Firepower and Adaptive Security Appliance (ASA) devices. The malware exploits critical vulnerabilities to establish persistent remote access that survives firmware updates and standard device reboots.

Key Points

• Exploits CVE-2025-20333 (CVSS 9.9) to allow authenticated remote attackers to execute arbitrary code as root via crafted HTTP requests.
• Exploits CVE-20SS-20362 (CVSS 6.5) to allow unauthenticated attackers to access restricted URL endpoints.
• Utilizes the LINE VIPER post-exploitation toolkit to execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA), and suppress syslog messages.
• Achieves persistence by manipulating the device's startup mount list, ensuring the malware reactivates during normal boot sequences.
• The implant survives firmware updates and standard reboot or reload commands, requiring a physical power cycle (cold restart) for temporary removal.
• The malware is associated with the threat actor group UAT4356 (also known as Storm-1849).

Technical Details

FIRESTARTER operates as a Linux ELF binary that installs a hook within the LINA engine, which is the core process responsible for network processing and security functions on Cisco ASA and Firepower Threat Defense (FTD) platforms. The backdoor facilitates the execution of arbitrary shellcode by parsing specially crafted WebVPN authentication requests containing a "magic packet." Once the foothold is established, the threat actor can deploy the LINE VIPER toolkit to manipulate the device's operational state, including harvesting user CLI commands and forcing delayed reboots to disrupt operations.

The persistence mechanism is highly resilient because it modifies the device's boot sequence via the startup mount list. Because the malware resides within the boot process, applying Cisco's security patches for CVE-2025-20333 and CVE-2025-20362 is insufficient to remove the implant. While a cold restart (physically pulling the power cord) can temporarily clear the active implant, the only way to ensure complete removal is to reimage the device and upgrade to fixed firmware releases.

Impact / Why It Matters

Security administrators must treat all configuration elements on potentially compromised Cisco ASA or FTD platforms as untrusted. Standard software-based remediation and patching are insufficient to eliminate the FIRESTARTER implant, necessitating a full device reimage for guaranteed recovery.