The Cybersecurity and Infrastructure Security Agency has disclosed that a U.S. federal civilian agency was compromised by FIRESTARTER malware on a Cisco Firepower device, with the backdoor maintaining access even after security patches were applied.
Initial Compromise And Exploited Vulnerabilities
The affected system was running Cisco ASA software and was breached in September 2025 through vulnerabilities including CVE-2025-20333 and CVE-2025-20362. These flaws enabled remote code execution using VPN credentials and unauthorized access to restricted endpoints via crafted HTTP requests.
CISA, alongside the UK National Cyber Security Centre, assessed that the intrusion formed part of a broader advanced persistent threat campaign targeting Cisco Adaptive Security Appliance firmware.
FIRESTARTER Backdoor Capabilities
FIRESTARTER functions as a Linux ELF backdoor designed for Cisco Firepower and Secure Firewall systems, enabling remote command-and-control access. The malware persists by intercepting termination signals and relaunching itself, allowing it to survive reboots and firmware updates unless a full power cycle or reimaging occurs.
It embeds into the LINA network processing engine, installing hooks that alter standard XML handling functions. This enables execution of attacker-controlled shellcode and supports deployment of additional payloads.
Post Exploitation And Persistence Mechanisms
Investigators found that attackers initially deployed LINE VIPER as a post-exploitation tool before installing FIRESTARTER to maintain long-term access. Even after Cisco released patches addressing the exploited vulnerabilities, previously compromised devices remained infected because the malware is not removed through standard updates.
FIRESTARTER establishes persistence by writing itself into reboot-surviving system locations, modifying configuration files, and reinstalling itself under new paths. It manipulates system components, removes traces, and continues operating in the background while suppressing errors.
The malware also scans system memory, injects shellcode into shared libraries such as libstdc++, and installs detours to intercept system processes. It activates payloads only after verifying specific identifiers within WebVPN traffic, indicating targeted deployment.
Detection And Mitigation Guidance
CISA and the NCSC have instructed federal agencies to follow Emergency Directive 25-03 and use YARA rules to detect FIRESTARTER within disk images and memory dumps. Organizations are advised to report findings to both agencies.
Security guidance includes maintaining inventories of network edge devices, auditing privileged accounts, enforcing least privilege access, rotating credentials, and adopting secure authentication protocols such as TACACS+ over TLS 1.3.
Remediation Challenges And Recommendations
According to Cisco Talos, full device reimaging is required to remove the malware. For certain Cisco FTD systems not in lockdown mode, mitigation may include terminating specific processes and reloading the device.
The agencies emphasized that while patching known vulnerabilities remains necessary, it does not eliminate existing infections, highlighting the need for deeper remediation steps and continuous monitoring.
Featured image credits: Daily CSR
For more stories like it, click the +Follow button at the top of this page to follow us.