The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a severe security breach involving a federal agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software. The breach, which occurred in September 2025, involved a malware known as FIRESTARTER, a backdoor facilitating unauthorized remote access and control.
CISA, in collaboration with the UK’s National Cyber Security Centre (NCSC), has assessed that FIRESTARTER is being used in a widespread campaign by an advanced persistent threat (APT) group. This campaign exploits patched vulnerabilities in Cisco’s ASA firmware, specifically targeting CVE-2025-20333 and CVE-2025-20362, to gain unauthorized access.
Persistent Threat of FIRESTARTER
FIRESTARTER poses a significant risk by maintaining its presence on compromised Cisco devices even after security patches are applied. The malware uses a post-exploitation toolkit called LINE VIPER, which enables threat actors to execute system commands, capture network packets, and bypass authentication protocols.
This toolkit allows attackers to suppress security logs and execute arbitrary commands, ensuring continued access. By embedding itself into the device’s boot sequence, FIRESTARTER can survive firmware updates and device reboots, except in cases of a hard power cycle.
Technical Analysis and Impact
FIRESTARTER’s resilience is enhanced by its ability to manipulate the startup sequence of the device, reactivating with every system reboot. It shares similarities with a previously identified bootkit known as RayInitiator. CISA warns that even though Cisco has patched the vulnerabilities, the backdoor remains unless the device undergoes a complete reimaging.
Cisco is monitoring the exploitation activities linked to these vulnerabilities under the designation UAT4356, also known as Storm-1849. The company stresses the need for complete reimaging and upgrading of compromised devices to eliminate the backdoor’s persistence mechanism.
Response and Mitigation Strategies
To mitigate the threat, Cisco recommends a cold restart of the affected devices, as simple reboot commands are ineffective. Pulling and reinserting the power cord is necessary to remove the implant. Meanwhile, the broader cybersecurity community is advised to remain vigilant, as the origins of these attacks, reportedly linked to China, continue to pose significant challenges.
State-sponsored groups like Volt Typhoon have been leveraging covert networks of compromised routers and IoT devices to conduct espionage and complicate attribution efforts. These botnets enable low-cost, low-risk cyber operations, further emphasizing the need for robust network security measures.
The continued evolution of these tactics highlights the importance of comprehensive cybersecurity strategies to defend against sophisticated threats targeting critical infrastructure worldwide.
