FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

Advisory Overview

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have jointly revealed that a US Federal Civilian Executive Branch (FCEB) agency's Cisco Firepower device running ASA software was compromised in September 2025 with a sophisticated custom backdoor called FIRESTARTER.

CISA discovered the compromise through continuous monitoring, validated the finding with agency personnel, and conducted a full forensic engagement — ultimately discovering the FIRESTARTER malware sample on the affected device. The implant is attributed to UAT-4356, a state-sponsored threat actor previously linked to the ArcaneDoor campaign targeting network perimeter devices.

CISA has issued Emergency Directive 25-03 requiring all FCEB agencies to audit their Cisco Firepower devices by April 24, 2026 and submit device inventories by May 1, 2026.

What Is FIRESTARTER?

FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, functioning as a C2 channel for remote access and persistent control.

Characteristic	Detail
Malware type	Linux ELF backdoor / C2 implant
Target platform	Cisco Firepower devices running ASA or FTD software
Primary function	Persistent remote access and command execution
Persistence mechanism	Survives firmware updates and graceful reboots
Attribution	UAT-4356 (state-sponsored, ArcaneDoor actor)
Discovery	CISA continuous monitoring, September 2025 compromise
Removal method	Hard power cycle (physical unplug) or full device reimaging

The FIRESTARTER + LINE VIPER Attack Chain

FIRESTARTER was deployed alongside a second implant, LINE VIPER, in a layered attack chain:

Stage 1: Initial Compromise (September 2025)

UAT-4356 exploited CVE-2025-20333 and CVE-2025-20362 on the target Cisco Firepower device:

CVE-2025-20333 — enables remote code execution
CVE-2025-20362 — enables privilege escalation

Stage 2: LINE VIPER Deployment

Following initial access, the threat actors deployed LINE VIPER as a post-exploitation toolkit with the following capabilities:

LINE VIPER Capabilities:
- Execute CLI commands on the firewall
- Perform packet captures
- Bypass VPN Authentication, Authorization, and Accounting (AAA)
  for actor-controlled devices
- Suppress syslog messages (anti-forensic evasion)
- Harvest user CLI commands
- Force delayed reboots

Stage 3: FIRESTARTER Persistence (March 2026)

With LINE VIPER providing initial post-exploitation access, UAT-4356 deployed FIRESTARTER in March 2026 to maintain persistence — particularly to survive any patching or remediation attempts.

Stage 4: Post-Patch Survival

Although Cisco released patches for CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching remained infected because FIRESTARTER is not removed by firmware updates.

FIRESTARTER Persistence Mechanism

FIRESTARTER achieves persistence by manipulating the Cisco Service Platform (CSP) mount list (CSP_MOUNT_LIST):

Persistence Flow:
1. FIRESTARTER modifies CSP_MOUNT_LIST to execute itself during boot
2. On graceful reboot, the persistence mechanism triggers
3. FIRESTARTER checks the runlevel and copies itself to a backup location
4. Updates CSP_MOUNT_LIST to point to the backup copy
5. Executes during the next boot cycle
 
Result: Survives standard firmware updates and graceful reboots
Removal: Requires hard power cycle (physical unplug) or full reimaging

FIRESTARTER also detects termination signals and relaunches itself, preventing standard process-kill remediation. It attempts to install a hook within LINA — the device's core engine for network processing and security functions.

Detection Indicators

Known Indicators of Compromise (IoCs)

Indicator	Type	Description
`lina_cs`	Process name	Malicious process — primary FIRESTARTER IoC
`/usr/bin/lina_cs`	File path	FIRESTARTER binary on disk
`/opt/cisco/platform/logs/var/log/svc_samcore.log`	File path	Secondary presence indicator
Suppressed syslog messages	Log anomaly	LINE VIPER anti-forensic activity
AAA bypass events	Auth anomaly	LINE VIPER bypassing VPN authentication

Detection Commands

# Check for FIRESTARTER process
show processes | include lina_cs
 
# Verify filesystem for malicious files (FTD expert mode)
expert
ls -la /usr/bin/lina_cs
ls -la /opt/cisco/platform/logs/var/log/svc_samcore.log
 
# Check for unexpected CSP_MOUNT_LIST modifications
show running-config | include csp
 
# Review for suppressed or anomalous syslog gaps
show logging | include gap
 
# Verify image integrity against Cisco published hashes
verify /sha-512 disk0:/asa*.bin
verify /sha-512 disk0:/ftd*.bin

Affected Platforms

Platform	Software	Action Required
Cisco Firepower appliances	Cisco ASA	Audit for IoCs; reimage if compromised
Cisco Secure Firewall	Cisco FTD	Audit for IoCs; reimage if compromised
Cisco Firepower Management Center	FMC	Advisory pending from Cisco

CVEs exploited: CVE-2025-20333 and CVE-2025-20362. Organizations should verify these are patched — but patching alone is insufficient if the device was compromised prior to patching.

CISA Directives and Federal Requirements

CISA published Emergency Directive ED 25-03 with the following mandatory actions for FCEB agencies:

Requirement	Deadline
Complete all device checks and updates	April 24, 2026, 11:59 PM EST
Hard-reset compromised devices	April 30, 2026
Submit Cisco Firepower device inventory	May 1, 2026

For confirmed compromises, CISA may issue instructions to physically unplug the device from power to remove FIRESTARTER's persistence mechanism before reimaging.

CISA will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1, 2026.

Recommended Actions for All Organizations

Immediate (All Cisco Firepower / ASA / FTD Operators)

Audit all Cisco Firepower, Secure Firewall, and ASA devices against published IoCs
Search for lina_cs process and file artifacts using detection commands above
Verify patch status for CVE-2025-20333 and CVE-2025-20362
Review CSP_MOUNT_LIST for unauthorized modifications
Inspect syslog continuity — gaps may indicate LINE VIPER suppression activity

Remediation (Confirmed or Suspected Compromise)

Step 1: Preserve forensics
  - Do NOT immediately power off or reimage — preserve evidence first
  - Capture running configuration, process list, and CSP_MOUNT_LIST state
  - Contact Cisco TAC and, if FCEB, notify CISA
 
Step 2: Isolate the device
  - Remove from active network path where operationally feasible
  - Redirect traffic through clean devices if available
 
Step 3: Hard power cycle (physical unplug)
  - This is the ONLY known method to remove FIRESTARTER's persistence
  - Graceful reboot will re-execute the implant
 
Step 4: Reimage from known-good media
  - Use Cisco-published fixed releases
  - Verify firmware hash before flashing
 
Step 5: Restore and harden
  - Restore from clean configuration backup
  - Apply all security patches
  - Enable Secure Boot attestation where supported

Hardening Recommendations

Priority	Action
Critical	Enable Secure Boot and image integrity verification on all supported models
Critical	Restrict management plane to dedicated out-of-band management networks
High	Enable TACACS+/RADIUS with MFA for all administrative access
High	Monitor for unauthorized CSP_MOUNT_LIST or syslog configuration changes
Medium	Deploy network behavior analytics to detect anomalous traffic from firewall devices
Medium	Rotate all credentials accessible through firewall management interfaces

Threat Actor Context: UAT-4356

UAT-4356 is the threat actor attributed by Cisco Talos to this campaign and to the earlier ArcaneDoor espionage campaign (2024). Key characteristics:

Focus: State-sponsored espionage targeting network perimeter devices
Targets: Government agencies, critical infrastructure, enterprise firewalls
TTPs: Deep persistence in network appliances, anti-forensic evasion, long-term covert access
Attribution: Not publicly confirmed to a specific nation-state, though analysis from Censys suggested potential links to China

The persistence of FIRESTARTER through firmware updates — combined with the LINE VIPER anti-forensic capability to suppress syslog messages — reflects a mature, well-resourced threat actor operating for long-term intelligence collection rather than destructive impact.

References

Advisory Overview

CISA has issued Emergency Directive 25-03 requiring all FCEB agencies to audit their Cisco Firepower devices by April 24, 2026 and submit device inventories by May 1, 2026.

What Is FIRESTARTER?

Characteristic	Detail
Malware type	Linux ELF backdoor / C2 implant
Target platform	Cisco Firepower devices running ASA or FTD software
Primary function	Persistent remote access and command execution
Persistence mechanism	Survives firmware updates and graceful reboots
Attribution	UAT-4356 (state-sponsored, ArcaneDoor actor)
Discovery	CISA continuous monitoring, September 2025 compromise
Removal method	Hard power cycle (physical unplug) or full device reimaging

The FIRESTARTER + LINE VIPER Attack Chain

FIRESTARTER was deployed alongside a second implant, LINE VIPER, in a layered attack chain:

Stage 1: Initial Compromise (September 2025)

UAT-4356 exploited CVE-2025-20333 and CVE-2025-20362 on the target Cisco Firepower device:

CVE-2025-20333 — enables remote code execution
CVE-2025-20362 — enables privilege escalation

Stage 2: LINE VIPER Deployment

Following initial access, the threat actors deployed LINE VIPER as a post-exploitation toolkit with the following capabilities:

LINE VIPER Capabilities:
- Execute CLI commands on the firewall
- Perform packet captures
- Bypass VPN Authentication, Authorization, and Accounting (AAA)
  for actor-controlled devices
- Suppress syslog messages (anti-forensic evasion)
- Harvest user CLI commands
- Force delayed reboots

Stage 3: FIRESTARTER Persistence (March 2026)

With LINE VIPER providing initial post-exploitation access, UAT-4356 deployed FIRESTARTER in March 2026 to maintain persistence — particularly to survive any patching or remediation attempts.

Stage 4: Post-Patch Survival

Although Cisco released patches for CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching remained infected because FIRESTARTER is not removed by firmware updates.

FIRESTARTER Persistence Mechanism

FIRESTARTER achieves persistence by manipulating the Cisco Service Platform (CSP) mount list (CSP_MOUNT_LIST):

Persistence Flow:
1. FIRESTARTER modifies CSP_MOUNT_LIST to execute itself during boot
2. On graceful reboot, the persistence mechanism triggers
3. FIRESTARTER checks the runlevel and copies itself to a backup location
4. Updates CSP_MOUNT_LIST to point to the backup copy
5. Executes during the next boot cycle
 
Result: Survives standard firmware updates and graceful reboots
Removal: Requires hard power cycle (physical unplug) or full reimaging

Detection Indicators

Known Indicators of Compromise (IoCs)

Indicator	Type	Description
`lina_cs`	Process name	Malicious process — primary FIRESTARTER IoC
`/usr/bin/lina_cs`	File path	FIRESTARTER binary on disk
`/opt/cisco/platform/logs/var/log/svc_samcore.log`	File path	Secondary presence indicator
Suppressed syslog messages	Log anomaly	LINE VIPER anti-forensic activity
AAA bypass events	Auth anomaly	LINE VIPER bypassing VPN authentication

Detection Commands

# Check for FIRESTARTER process
show processes | include lina_cs
 
# Verify filesystem for malicious files (FTD expert mode)
expert
ls -la /usr/bin/lina_cs
ls -la /opt/cisco/platform/logs/var/log/svc_samcore.log
 
# Check for unexpected CSP_MOUNT_LIST modifications
show running-config | include csp
 
# Review for suppressed or anomalous syslog gaps
show logging | include gap
 
# Verify image integrity against Cisco published hashes
verify /sha-512 disk0:/asa*.bin
verify /sha-512 disk0:/ftd*.bin

Affected Platforms

Platform	Software	Action Required
Cisco Firepower appliances	Cisco ASA	Audit for IoCs; reimage if compromised
Cisco Secure Firewall	Cisco FTD	Audit for IoCs; reimage if compromised
Cisco Firepower Management Center	FMC	Advisory pending from Cisco

CVEs exploited: CVE-2025-20333 and CVE-2025-20362. Organizations should verify these are patched — but patching alone is insufficient if the device was compromised prior to patching.

CISA Directives and Federal Requirements

CISA published Emergency Directive ED 25-03 with the following mandatory actions for FCEB agencies:

Requirement	Deadline
Complete all device checks and updates	April 24, 2026, 11:59 PM EST
Hard-reset compromised devices	April 30, 2026
Submit Cisco Firepower device inventory	May 1, 2026

For confirmed compromises, CISA may issue instructions to physically unplug the device from power to remove FIRESTARTER's persistence mechanism before reimaging.

CISA will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1, 2026.

Recommended Actions for All Organizations

Immediate (All Cisco Firepower / ASA / FTD Operators)

Audit all Cisco Firepower, Secure Firewall, and ASA devices against published IoCs
Search for lina_cs process and file artifacts using detection commands above
Verify patch status for CVE-2025-20333 and CVE-2025-20362
Review CSP_MOUNT_LIST for unauthorized modifications
Inspect syslog continuity — gaps may indicate LINE VIPER suppression activity

Remediation (Confirmed or Suspected Compromise)

Step 1: Preserve forensics
  - Do NOT immediately power off or reimage — preserve evidence first
  - Capture running configuration, process list, and CSP_MOUNT_LIST state
  - Contact Cisco TAC and, if FCEB, notify CISA
 
Step 2: Isolate the device
  - Remove from active network path where operationally feasible
  - Redirect traffic through clean devices if available
 
Step 3: Hard power cycle (physical unplug)
  - This is the ONLY known method to remove FIRESTARTER's persistence
  - Graceful reboot will re-execute the implant
 
Step 4: Reimage from known-good media
  - Use Cisco-published fixed releases
  - Verify firmware hash before flashing
 
Step 5: Restore and harden
  - Restore from clean configuration backup
  - Apply all security patches
  - Enable Secure Boot attestation where supported

Hardening Recommendations

Priority	Action
Critical	Enable Secure Boot and image integrity verification on all supported models
Critical	Restrict management plane to dedicated out-of-band management networks
High	Enable TACACS+/RADIUS with MFA for all administrative access
High	Monitor for unauthorized CSP_MOUNT_LIST or syslog configuration changes
Medium	Deploy network behavior analytics to detect anomalous traffic from firewall devices
Medium	Rotate all credentials accessible through firewall management interfaces

Threat Actor Context: UAT-4356

UAT-4356 is the threat actor attributed by Cisco Talos to this campaign and to the earlier ArcaneDoor espionage campaign (2024). Key characteristics:

Focus: State-sponsored espionage targeting network perimeter devices
Targets: Government agencies, critical infrastructure, enterprise firewalls
TTPs: Deep persistence in network appliances, anti-forensic evasion, long-term covert access
Attribution: Not publicly confirmed to a specific nation-state, though analysis from Censys suggested potential links to China

Advisory Overview

What Is FIRESTARTER?

The FIRESTARTER + LINE VIPER Attack Chain

Stage 1: Initial Compromise (September 2025)

Stage 2: LINE VIPER Deployment

Stage 3: FIRESTARTER Persistence (March 2026)

Stage 4: Post-Patch Survival

FIRESTARTER Persistence Mechanism

Detection Indicators

Known Indicators of Compromise (IoCs)

Detection Commands

Affected Platforms

CISA Directives and Federal Requirements

Recommended Actions for All Organizations

Immediate (All Cisco Firepower / ASA / FTD Operators)

Remediation (Confirmed or Suspected Compromise)

Hardening Recommendations

Threat Actor Context: UAT-4356

References

Related Reading

Advisory Overview

What Is FIRESTARTER?

The FIRESTARTER + LINE VIPER Attack Chain

Stage 1: Initial Compromise (September 2025)

Stage 2: LINE VIPER Deployment

Stage 3: FIRESTARTER Persistence (March 2026)

Stage 4: Post-Patch Survival

FIRESTARTER Persistence Mechanism

Detection Indicators

Known Indicators of Compromise (IoCs)

Detection Commands

Affected Platforms

CISA Directives and Federal Requirements

Recommended Actions for All Organizations

Immediate (All Cisco Firepower / ASA / FTD Operators)

Remediation (Confirmed or Suspected Compromise)

Hardening Recommendations

Threat Actor Context: UAT-4356

References

Related Reading