CRITICAL: FIRESTARTER Backdoor Survives Cisco Firewall Patches in ArcaneDoor Federal Breach

There is a particular kind of bad news in this industry, the kind where you find out that the patch you applied months ago did not actually save you. That is exactly where Cisco Firepower customers landed this week after CISA and the United Kingdom's National Cyber Security Centre went public with a joint advisory on a malware family called FIRESTARTER. Federal incident responders found the implant living rent-free on a Cisco Firepower device inside an unnamed federal civilian executive branch agency, and the part that should make every network engineer sit up straight is this. Firmware updates did not remove it. Security patches did not remove it. Reboots did not remove it. The only reliable way to evict FIRESTARTER from a compromised appliance is to physically pull the power cable out of the back of the box, which is not a sentence anyone wanted to read on a Friday afternoon.

The campaign tracks back to UAT-4356, the threat group Cisco Talos has been chasing since the original ArcaneDoor disclosures in 2024. ArcaneDoor was the operation that burned two Cisco zero-days against perimeter security appliances at government targets around the world, and the consensus among western intelligence agencies has long been that this is suspected state-sponsored work. The same crew is back, this time chaining CVE-2025-20333 and CVE-2025-20362, the pair of Cisco ASA and Firepower Threat Defense flaws that Cisco patched in late September 2025 under emergency directive ED 25-03. CVE-2025-20333 carries a CVSS score of 9.9 and lives in the VPN web server, where improper validation of HTTP requests lets an authenticated remote attacker execute arbitrary code as root. CVE-2025-20362 is the buffer overflow that gets paired with it to complete the compromise chain. Together they hand a remote operator full control of the firewall, which is roughly the worst place on a network for an adversary to sit.

What makes this incident newsworthy is not the initial access vector. CISA already added both CVEs to the Known Exploited Vulnerabilities catalog last fall, and federal agencies were ordered to patch under a tight deadline. The story is what happens after the patch. CISA's analysis of the federal agency intrusion shows that UAT-4356 dropped FIRESTARTER on the appliance in early September 2025, several weeks before the public CVE disclosure. The agency dutifully patched when the advisory came out. The implant stayed put. When CISA's hunt team pulled the device for forensic analysis in the months that followed, FIRESTARTER was still resident, still beaconing, still giving the operators a reverse shell into a network that everyone involved had assumed was clean.

The implant's persistence playbook is genuinely impressive in the way that any well-engineered piece of offensive tradecraft tends to be. FIRESTARTER targets LINA, the Cisco ASA core process responsible for network and security functions, and hooks itself into the engine by modifying an XML handler and injecting shellcode directly into LINA's memory space. To survive a reboot, the malware writes itself into the CSP_MOUNT_LIST boot manifest so the device reloads it during startup. It stashes a backup copy at /opt/cisco/platform/logs/var/log/svc_samcore.log, a path most defenders would never think to inspect because it sits inside what looks like a routine log directory. From there it restores its working binary to /usr/bin/lina_cs, which masquerades convincingly alongside the legitimate lina process anyone running show kernel process sees every day. The implant also installs signal handlers that detect termination attempts and immediately relaunch the process, which is why graceful reboots do not kill it. The system thinks it is shutting down cleanly, the implant catches the signal, and it comes back up with the next boot cycle still running.

This is also why Cisco's own remediation guidance has gotten more aggressive than usual. Reimaging the device using the fixed releases is the official advice, not because the patches do not address the vulnerabilities, but because patching alone does nothing for an appliance that was already compromised before the patch arrived. CISA's recommendation, somewhat extraordinarily, is that operators perform a hard power cycle on suspect devices, meaning they yank the power cord rather than issue a software shutdown. The catch is that an abrupt power loss on a production firewall carries real risk of database corruption and configuration loss, which is the sort of decision normally made by a change advisory board over the course of three meetings and not by a tier two analyst on a Saturday night. Defenders are stuck choosing between leaving a possible nation-state implant in their perimeter or risking a hard outage on the device that protects everything behind it.

Initial access, for what it is worth, runs through the LINE VIPER toolkit. CISA describes LINE VIPER as a user-mode shellcode loader that the operators deploy first, before FIRESTARTER ever touches disk. LINE VIPER does the dirty work of establishing VPN sessions, harvesting administrative credentials, and exfiltrating certificates and private keys. Only once the operators have what they need do they install FIRESTARTER as the long-haul implant. That sequencing matters for forensics. Defenders looking only for the LINE VIPER artifacts will miss the persistent payload, and defenders looking only for FIRESTARTER will miss the credential theft that probably already enabled lateral movement deeper into the environment.

Detection is possible but it requires actually looking, which is the part that gets harder than it sounds on managed firewall fleets. The cleanest indicator is the presence of the lina_cs process, which can be enumerated with show kernel process | include lina_cs from the device CLI. Files at /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log are also reliable artifacts. CISA published YARA rules along with the advisory, and Cisco Talos has its own detection content in the appliance's intrusion prevention engines. Anyone running ASA 9.12 through 9.22 or FTD 7.0 through 7.6 should treat the hunt as mandatory rather than optional, particularly if the device was internet-exposed at any point between September and the patch deadline. The vulnerable version range covers essentially every supported ASA train, so coverage is wide.

Who is actually affected is the question every CISO will get asked Monday morning. The honest answer is that anyone running a Cisco ASA, Firepower, or Secure Firewall appliance with the VPN web service exposed to the internet during the exploitation window is in scope for hunting. CISA has only confirmed the FIRESTARTER implant on one federal device so far, but the agency has been careful to say that observation does not equal absence. UAT-4356's prior ArcaneDoor activity hit government targets across multiple countries, and the campaign that produced FIRESTARTER almost certainly extends well beyond the single confirmed agency. Allied agencies including the United Kingdom's NCSC are involved precisely because the targeting pattern fits a wider intelligence collection operation, not a single isolated breach. If your firewall is on the internet, was unpatched between September and your patch window, and you have not done a forensic sweep of the device since then, you should assume nothing about its integrity until you have actually checked.

The patch picture, since this is the question every operations team needs to answer, is that fixed releases for both CVEs have been available since late September 2025. Cisco lists ASA 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, and 9.22.1.3 as the patched trains, with corresponding FTD releases through 7.6 covering the parallel software. Patching is necessary but not sufficient. Anyone who delayed past the ED 25-03 deadline or who suspects exposure during the exploitation window needs to combine the patch with a forensic review of the device using CISA's published indicators, and ideally a full reimage from a known-good image rather than an in-place upgrade.

For the managed service providers and security shops looking at this advisory, there is real opportunity in the chaos. Most midmarket clients with Cisco perimeter gear do not have the in-house forensic capability to confirm whether a firewall is clean, and the federal agency story makes a tangible business case for offering a structured Cisco ASA and Firepower threat hunt as a packaged engagement, complete with YARA scanning, configuration review, and a hard reimage where indicators are present. That same story sells well into a broader conversation about perimeter visibility, EDR coverage on management networks, and credential rotation hygiene after suspected appliance compromise. Clients who shrugged off ArcaneDoor in 2024 have a much harder time shrugging off a sequel that survives the patch.