CRITICAL: FIRESTARTER Backdoor Squats on Federal Cisco Firewall, Survives Every Patch

When CISA quietly dropped Analysis Report AR26-113A this week, it confirmed something that should keep every network defender up at night. A US federal civilian executive branch agency had its perimeter Cisco firewall compromised back in September 2025, and the attackers held on through March 2026 by riding a backdoor that ignores firmware updates, ignores patching, and ignores reboots. The only thing that finally evicts FIRESTARTER from a Cisco Adaptive Security Appliance is yanking the power cord.

If that sounds familiar, it should. This is the same UAT4356 crew, also tracked as Storm-1849, that ran the ArcaneDoor campaign in 2024 against Cisco edge gear. Censys and Cisco Talos have publicly linked the activity to China, and the latest reporting confirms the cluster never went away. They simply refined their playbook, layered in a new persistence mechanism, and went back to the well.

The two CVEs at the heart of the intrusion should be familiar to anyone who has been paying attention. CVE-2025-20333 is the headline event, a CVSS 9.9 critical flaw in the VPN web server of Cisco Secure Firewall ASA and Firepower Threat Defense software. It allows an authenticated attacker holding valid VPN credentials to push a crafted HTTP request and gain arbitrary code execution as root. Pair that with CVE-2025-20362, a CVSS 6.5 unauthenticated input validation bug that exposes restricted URL endpoints, and you have the perfect chain. The unauthenticated bug carves out the foothold, the authenticated bug delivers root, and from there the attacker owns the device that was supposed to be protecting the network.

Affected versions cover a sprawling slice of Cisco's installed base. ASA software releases 9.12 through 9.22 fall in scope, and FTD software 7.0 through 7.6.0 carries the same defect. CISA added both CVEs to the Known Exploited Vulnerabilities catalog in late September 2025, and Emergency Directive 25-03 forced federal agencies to patch by September 26. The compromised agency, unfortunately for them, was already compromised before the directive landed. Patching slammed the front door shut while the attacker was already living in the basement.

What makes FIRESTARTER different from the usual edge-device implant is how aggressively it digs in. The backdoor is a Linux ELF binary that hooks directly into LINA, the core network processing engine that handles traffic on Cisco ASA and FTD platforms. Persistence works by manipulating the startup mount list so the malicious code reloads itself every time the device boots, no matter what version of firmware is actually running. The implant also detects termination signals and immediately relaunches, which means a kill from inside the operating system buys you nothing. Cisco's own guidance is brutally honest about this. The standard shutdown, reboot, and reload commands will not clear the implant. Only a cold restart, meaning a physical disconnect of the power supply, gets rid of it. For a federal data center with hundreds of remote firewalls, that is not a script you run on a Tuesday afternoon.

The command and control channel hides in plain sight. Once installed, FIRESTARTER watches for specially crafted WebVPN authentication requests carrying magic packet payloads, and it executes whatever shell code the attacker tucks inside. To the rest of the network, this looks like normal VPN traffic going to a normal VPN concentrator. There is no beacon to a strange domain, no callbacks to a sketchy IP address, and no second-stage download from an obvious staging server. The attacker reaches out, the firewall responds, and the operator on the other end is talking to a root shell on your perimeter device. Researchers have also flagged code overlap with the RayInitiator bootkit, suggesting that the same authors are sharing toolchain components across multiple long-term operations.

Once they were inside, UAT4356 deployed LINE VIPER, the post-exploitation framework that turns a compromised firewall into a full-spectrum espionage platform. Confirmed capabilities include arbitrary CLI command execution, on-device packet captures, bypass of the firewall's own authentication, authorization, and accounting controls, suppression of syslog events to keep the SIEM quiet, harvesting of CLI commands typed by legitimate administrators, and the ability to schedule delayed reboots that look like routine maintenance. Read that list again. The attacker can sniff every packet leaving your network, capture every credential typed by your network engineers, silently approve their own VPN sessions, and erase the evidence on the way out. That is not a foothold. That is ownership of the perimeter.

The federal victim, identified only as a civilian executive branch agency, was breached in early September 2025 and remained accessible through at least March 2026. That is six months of unfettered access on a device that sits between the agency's internal network and the public internet. CISA's analysis confirms that LINE VIPER was deployed before September 25, 2025, which means the attackers had operational tooling staged before the Emergency Directive even hit inboxes. The intrusion was only discovered when defenders investigated suspicious connections on the firewall and ran the diagnostic command Cisco eventually published to detect the implant.

That detection command is the one piece of good news in this story, and every organization running ASA or FTD should run it today. The command "show kernel process | include lina_cs" should return nothing on a clean device. If it returns any output, the device is compromised, and Cisco's official position is that a full reimage and firmware upgrade is required to trust the box again. A cold power cycle will clear the implant, but it will not clear whatever else the attacker may have staged during their dwell time. Reimaging is the only safe answer for confirmed compromise. Defenders should also pull historical packet captures for unusual WebVPN authentication traffic, audit VPN authentication logs for sessions that bypassed multi-factor authentication, and look for syslog gaps that could indicate suppression. If you cannot account for a quiet stretch in your firewall logs, assume someone wanted it that way.

For organizations that have not yet applied the September 2025 patches for CVE-2025-20333 and CVE-2025-20362, this is a do it now situation. The patches alone do not undo an existing compromise, so patching should be paired with the diagnostic command above and a hard look at any device that has been internet facing without protection for any length of time. Multi factor authentication on VPN logins, restricted management plane access, and detailed logging of WebVPN authentication attempts are basic hygiene that becomes critical when the underlying device can be silently subverted. CISA and the UK's NCSC have both issued companion warnings, and the joint guidance is unusual in its bluntness. Treat any unpatched ASA or FTD device that was reachable from the internet during late summer 2025 as suspect until proven otherwise.

There is a broader lesson in FIRESTARTER that goes beyond Cisco. Edge devices have become the favored foothold for nation state actors precisely because they are trusted, rarely inspected, and almost never instrumented for endpoint detection. The same firewall that enforces your network policy is the one device you cannot run an EDR agent on, cannot easily snapshot for forensic analysis, and often cannot rebuild without a maintenance window that crosses three time zones. UAT4356 understands this better than most defenders do, and they are betting that the operational pain of a true rebuild will keep agencies and enterprises hesitant to take action even after detection. The bet has been paying off.

For MSPs, this is the kind of incident that justifies the perimeter device assessment service you have probably been quietly putting off productizing. Every client running aging ASA or FTD hardware needs to know whether they are patched, whether they show indicators of compromise, and whether they have any logging capable of detecting the kind of in band C2 that FIRESTARTER uses. A focused engagement that includes the diagnostic command, a log review, and a recommendation report is a tidy fixed fee project that lands as both a security service and a pipeline for hardware refresh conversations. Clients whose firewalls turn up clean still benefit from a defensible record, and the ones who are dirty have a six figure remediation problem that they would rather hand to you than figure out themselves.