CISA Reveals FIRESTARTER Backdoor on Federal Agency's Cisco Firewall

CISA Discovers 'FIRESTARTER' Backdoor on Federal Cisco Firewall; Malware Survives Patches

CRITICAL
April 25, 2026
April 28, 2026
m read
MalwareVulnerabilityCyberattack

Related Entities(initial)

Organizations

CiscoNational Cyber Security Centre (NCSC)U.S. Cybersecurity and Infrastructure Security Agency (CISA)

Products & Tech

Cisco Firepower

Other

FIRESTARTERLINE VIPER

CVE Identifiers

CVE-2025-20333
CRITICAL
CVSS:9.9
CVEDetails.com CVE.org
CVE-2025-20362
HIGH
CVSS:6.5
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1003Credential Access

OS Credential Dumping

T1059.004Execution

Unix Shell

T1190Initial Access

Exploit Public-Facing Application

T1546Persistence

Event Triggered Execution

T1574Defense Evasion

Hijack Execution Flow

Full Report(when first published)

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.K.'s NCSC, has issued a critical alert regarding a newly discovered backdoor named FIRESTARTER. This malware was found on a Cisco Firepower device within a U.S. federal civilian executive branch (FCEB) agency. The malware provides persistent, remote access to the compromised firewall. The initial intrusion, occurring in September 2025, was achieved by exploiting two since-patched vulnerabilities: CVE-2025-20333 (a critical 9.9 CVSS RCE flaw) and CVE-2025-20362. The key threat posed by FIRESTARTER is its ability to maintain persistence even after the device's firmware is updated, rendering standard patching insufficient for remediation. Attackers were confirmed to have used this backdoor to regain access as recently as March 2026.

Threat Overview

An unidentified Advanced Persistent Threat (APT) actor conducted a widespread campaign targeting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The initial access vector was the exploitation of CVE-2025-20333 and CVE-2025-20362. Once on the device, the APT deployed the FIRESTARTER backdoor.

FIRESTARTER's primary function is to provide a persistent foothold. It achieves this by installing a hook within LINA, the core processing engine of the Cisco device's operating system. This hook allows the malware to intercept system functions and execute arbitrary shell code supplied by the attacker via specially crafted network packets. Because this hook is installed in the underlying system and not as a simple file, it is not removed during a standard firmware update or patching process.

CISA's investigation revealed that the attackers used this persistent access to deploy a secondary payload, a post-exploitation toolkit named LINE VIPER. This toolkit enabled the threat actors to:

  • Execute arbitrary command-line interface (CLI) commands.
  • Conduct packet captures to monitor network traffic.
  • Bypass VPN authentication for attacker-controlled devices.
  • Harvest user credentials from the device.

Technical Analysis

The attack showcases a high level of sophistication, targeting the core of a network security appliance. The TTPs map to the MITRE ATT&CK framework as follows:

  1. Initial Access: The attackers exploited a known vulnerability in a public-facing application, corresponding to T1190 - Exploit Public-Facing Application.
  2. Execution: The LINE VIPER toolkit's ability to run CLI commands falls under T1059.004 - Unix Shell.
  3. Persistence: FIRESTARTER's LINA hooking mechanism is a form of T1546 - Event Triggered Execution. By hooking a core process, it ensures its code is executed whenever specific system events occur, guaranteeing its survival across reboots and updates.
  4. Defense Evasion: The entire mechanism is a powerful form of defense evasion (T1574 - Hijack Execution Flow). By embedding itself deep within a trusted system process, the malware avoids detection by conventional file-based scanners.
  5. Credential Access: The harvesting of user credentials via LINE VIPER aligns with T1003 - OS Credential Dumping.

The persistence mechanism is the most critical aspect of this threat. It means that simply patching the initial vulnerabilities is not enough to remediate a compromised device. Organizations must actively hunt for evidence of the backdoor itself.

Impact Assessment

The impact of this attack is severe. A persistent backdoor on a perimeter firewall grants an attacker a privileged position within the network. From here, they can monitor all traffic passing through the device, bypass security controls like VPNs, pivot to other internal systems, and maintain long-term, stealthy access to the victim's environment. For a federal agency, this could lead to the exfiltration of sensitive government data, espionage, and a complete loss of network integrity. The fact that the attackers were able to return months later demonstrates the effectiveness of their persistence and the significant challenge defenders face in fully eradicating such threats.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were mentioned in the source articles. CISA's advisory likely contains specific hunting guidance for federal agencies.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
command_line_pattern
Value
`show memory region
Description
i LINA`
Type
network_traffic_pattern
Value
Anomalous management traffic
Description
Monitor for unexpected inbound connections to the device's management interface or outbound connections from the firewall itself to unknown destinations.
Type
log_source
Value
Cisco ASA/FTD Syslog
Description
Scrutinize logs for unauthorized configuration changes, unexpected device reloads, or commands being executed outside of normal administrative sessions.
Type
file_path
Value
/ngfw/var/log/lina.log
Description
While the backdoor is fileless, its execution might generate anomalous entries in the LINA process log.

Detection & Response

Detection requires more than just vulnerability scanning. Organizations with affected Cisco devices should:

  • Follow CISA Guidance: CISA has issued specific directives and hunting guidance. Federal agencies and other organizations should follow these instructions precisely.
  • Memory Forensics: The most reliable way to detect this fileless malware is through memory analysis of the running device. This involves capturing a memory image and searching for known indicators of FIRESTARTER's hooks and code, a process that typically requires specialized expertise. This is a form of D3-DA: Dynamic Analysis.
  • Network Behavior Analysis: Monitor for network traffic anomalies associated with the LINE VIPER toolkit, such as unexpected packet captures or VPN bypass activity. This aligns with D3-NTA: Network Traffic Analysis.

If a device is confirmed to be compromised, the recommended response is to isolate it from the network and perform a complete re-imaging from a trusted source, followed by restoring a clean configuration. Simply patching is insufficient.

Mitigation

Mitigation requires a multi-step approach:

  1. Patch Urgently: Immediately apply the security updates from Cisco that address CVE-2025-20333 and CVE-2025-20362. This is the first step in preventing new infections (D3-SU: Software Update).
  2. Assume Breach and Hunt: For any device that was unpatched and exposed to the internet, organizations must assume it could be compromised. Proactively hunt for indicators of FIRESTARTER and LINE VIPER using the guidance from CISA.
  3. Restrict Management Access: Harden firewall configurations by restricting access to management interfaces. They should not be exposed to the internet and should only be accessible from a secure, internal management network.
  4. Integrity Monitoring: Implement integrity monitoring solutions that can detect unauthorized changes to the firmware and critical system files of network devices.

Timeline of Events

1
September 1, 2025
Initial intrusion and deployment of FIRESTARTER backdoor occurred.
2
March 1, 2026
Threat actors used the persistent backdoor to return to the compromised device.
3
April 24, 2026
CISA and NCSC published a joint advisory on the FIRESTARTER malware.
4
April 25, 2026
This article was published

Article Updates

April 28, 2026

Severity increased

New details emerge on Firestarter malware, revealing initial access via compromised credentials and LINE VIPER's role in bypassing MFA for unauthorized VPN access.

A joint report by CISA and NCSC provides further insights into the Firestarter malware. New information indicates initial access was achieved through compromised credentials and dormant user accounts, leading to unauthorized VPN sessions, rather than solely through CVE exploitation. The LINE VIPER post-exploitation tool is now specifically identified as facilitating these unauthorized VPN sessions by bypassing multi-factor authentication. This update clarifies the full attack chain and highlights additional methods used by APT actors to gain and maintain persistent access to Cisco firewalls, emphasizing the critical need for robust credential management and MFA enforcement.

Update Sources:
industrialcyber.comCISA, NCSC warn Firestarter malware enabling persistent backdoor access to exposed Cisco firewall infrastructure
industrialcyber.comCISA, NCSC warn Firestarter malware enabling persistent backdoor access to exposed Cisco firewall infrastructure

Timeline of Events

1
September 1, 2025

Initial intrusion and deployment of FIRESTARTER backdoor occurred.

2
March 1, 2026

Threat actors used the persistent backdoor to return to the compromised device.

3
April 24, 2026

CISA and NCSC published a joint advisory on the FIRESTARTER malware.

Sources & References(when first published)

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
thehackernews.comApril 24, 2026
US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor
securityweek.comApril 24, 2026
CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March
therecord.mediaApril 24, 2026
Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
sec.cloudapps.cisco.comApril 24, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

APTBackdoorCISACVE-2025-20333CiscoFIRESTARTERLINE VIPERVulnerability

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.