Firestarter Malware Persists Despite Cisco Firewall Updates and Patches

U.S. and U.K. cybersecurity authorities have issued a warning regarding a persistent malware known as Firestarter. This malicious software affects Cisco Firepower and Secure Firewall devices utilizing Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Cisco Talos has identified the malware’s threat actor as UAT-4356, which is associated with cyberespionage, including incidents involving ArcaneDoor.

Initial Access and Vulnerabilities

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC), initial access was likely gained through a missing authorization issue identified as CVE-2025-20333 or a buffer overflow vulnerability listed as CVE-2025-20362. In a notable incident, CISA reported that the malware was deployed after the threat actor first used Line Viper, a user-mode shellcode loader. Firestarter then provided persistent access to the compromised devices, even after security patches were applied.

CISA has not confirmed the exact timeline of initial exploitation. However, it assesses that the breach took place in early September 2025, prior to the implementation of patches as outlined in ED 25-03.

Malware Characteristics and Persistence

• Firestarter can maintain a foothold across reboots, firmware updates, and security patches.
• It relaunches automatically if terminated, ensuring ongoing access for the threat actor.
• Persistence is achieved by hooking into LINA, the core process of Cisco ASA.
• Firestarter modifies key system files to ensure its execution during startup.

The malware stores its executable in multiple locations, including /opt/cisco/platform/logs/var/log/svc_samcore.log, and ensures its launch via the modified CSP_MOUNT_LIST boot file. Cisco Talos confirmed that the persistence mechanism activates with process termination signals, allowing reinstallation of the malware.

Functionality and Attack Methods

Firestarter primarily functions as a backdoor, facilitating remote access for attackers. It can execute arbitrary shellcode by hooking into LINA through an XML handler modification. This allows the injection of malicious code into memory following a specially formatted WebVPN request that validates a hardcoded identifier.

While CISA has not disclosed specifics regarding the shellcode payloads involved in the attacks, Cisco has provided a security advisory containing mitigations to combat Firestarter. This includes recommendations for device reimaging and upgrades to secure releases, irrespective of whether devices are compromised.

Detection and Remediation

• Administrators should run the command ‘show kernel process | include lina_cs’.
• If any output is observed, the device is likely compromised.
• Cisco suggests that if re-imaging isn’t possible, a cold restart may clear the malware.

However, a cold restart is not ideal due to the potential risks of database corruption and boot failures. CISA has also released two YARA rules to assist in detecting the Firestarter backdoor in disk images or core dumps from affected devices.

Cybersecurity protocols must be updated regularly to defend against threats like Firestarter, ensuring that organizations maintain robust security postures against advancing cyber threats.