Firestarter Malware Survives Cisco Firewall Patches and Reboots

Cybersecurity agencies in the U.S. and U.K. issued a joint warning this week about custom malware called Firestarter that maintains persistence on Cisco firewall appliances even after firmware updates and security patches are applied. The only reliable removal method requires physically disconnecting the device from power.

What's Happening

The CISA advisory and corresponding NCSC bulletin detail how Firestarter targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Investigators discovered the malware on a federal agency's network in a campaign dating back to at least September 2025.

The backdoor is attributed to UAT-4356, a threat actor Cisco Talos has linked to the ArcaneDoor cyberespionage campaign. This represents an escalation in targeting network security infrastructure—the very devices organizations trust to protect their perimeters.

How the Attack Works

The compromise chain begins with exploitation of two vulnerabilities:

• CVE-2025-20333: A missing authorization flaw allowing initial access
• CVE-2025-20362: A buffer overflow enabling code execution

Attackers deploy two malware stages. First, a user-mode shellcode loader called Line Viper establishes VPN sessions and extracts configuration details, administrative credentials, certificates, and private keys. Then Firestarter takes over for long-term access.

Persistence Mechanism

Firestarter achieves its remarkable persistence through multiple techniques:

1. LINA hooking: The malware hooks into LINA, Cisco's core ASA process, using signal handlers that trigger reinstallation routines
2. Boot file modification: It modifies CSP_MOUNT_LIST to execute at startup
3. Backup copies: Stores itself in /opt/cisco/platform/logs/var/log/svc_samcore.log
4. Auto-restoration: Relaunches automatically if terminated, restoring to /usr/bin/lina_cs

The backdoor enables remote code execution by injecting shellcode into memory, triggered through specially crafted WebVPN requests validated against hardcoded identifiers.

Why This Matters

Network security appliances have become high-value targets for sophisticated threat actors. We've seen similar persistence techniques in campaigns like ArcaneDoor and state-sponsored attacks on Fortinet devices. When attackers compromise the firewall itself, they gain visibility into all traffic flowing through the network while evading endpoint detection tools entirely.

The fact that Firestarter survives firmware updates is particularly concerning. Organizations that diligently apply CISA KEV patches may still harbor the infection without knowing it.

Detection and Removal

CISA provided YARA detection rules applicable to disk images or core dumps. Administrators can check for infection by running:

show kernel process | include lina_cs

If the malware is detected, CISA recommends full device reimaging and upgrading to patched firmware. A cold restart (physically disconnecting power) removes the malware from memory but risks data corruption and is not the preferred remediation path.

Recommended Actions

1. Audit firewall logs for unusual WebVPN activity or unexpected process spawning
2. Apply latest firmware to Cisco ASA and FTD devices, though this alone won't remove existing infections
3. Run detection commands on all Cisco firewall appliances
4. Consider reimaging any devices showing indicators of compromise
5. Monitor for IOCs provided in the CISA analysis report

Organizations relying on Cisco firewalls for perimeter security should treat this as a high-priority investigation. The persistence mechanism makes traditional patching insufficient, and the sophistication suggests well-resourced threat actors willing to invest in maintaining long-term access to valuable networks.