The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a malware called Malwarebytes. fire starter.
According to CISA and the UK National Cyber Security Center (NCSC), FireStarter is considered a backdoor designed for remote access and control. It is believed to have been deployed by an advanced persistent threat (APT) actor as part of a “broader” campaign to gain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as –
- CVE-2025-20333 (CVSS Score: 9.9) – An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending a crafted HTTP request.
- CVE-2025-20362 (CVSS Score: 6.5) – Improper validation of user-supplied input vulnerability that could allow an unauthenticated, remote attacker to access a restricted URL endpoint without authentication by sending a crafted HTTP request.
“FireStarter can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to regain access to compromised devices without re-exploiting the vulnerabilities,” the agencies said.
In the incident investigated, threat actors were found to deploy a post-exploit toolkit called LINE VIPER that can execute CLI commands, capture packets, bypass VPN authentication, authorization, and accounting (AAA) for actor devices, suppress syslog messages, suppress user CLI commands, and force a delayed reboot.
The enhanced access provided by LINE VIPER serves as a means for FIRESTARTER, deployed on Firepower devices before September 25, 2025, allowing threat actors to maintain continued access and return to a compromised device as of last month.
A Linux ELF binary can install persistence on the FIRESTARTER device, and survive firmware updates and device reboots unless a hard power cycle occurs. The malware inserts itself into the device’s boot sequence by manipulating the startup mount list, ensuring that it automatically reactivates whenever the device reboots normally. In addition to flexibility, it also shares some level of overlap with a previously documented bootkit called Reiinitiator.
According to the advisory, “FireStarter attempts to establish a hook – a way to intercept and modify normal operations – within LINA, the device’s main engine for network processing and security functions.” “This hook enables the execution of arbitrary shell code provided by APT actors, including deployment of LINE VIPER.”
“Although Cisco’s patches address CVE-2025-20333 and CVE-2025-20362, devices compromised before patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.”
Cisco, which is tracking exploit activity associated with the two vulnerabilities under the alias UAT4356 (aka Storm-1849), described Firestarter as a backdoor that facilitates the execution of arbitrary shellcode obtained by the LINA process by parsing specially crafted WebVPN authentication requests containing “magic packets.”
The exact origin of the threat activity is not known, although an analysis by attack surface management platform Sensis in May 2024 suggested a connection to China. UAT4356 was first attributed to a campaign called ArcaneDoor, which exploited two zero-day flaws in Cisco networking gear to deliver malware capable of capturing network traffic and reconnaissance.
“To completely remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device,” Cisco said. “In cases of confirmed compromise on any Cisco Secure ASA or FTD platform, all configuration elements of the device should be considered untrusted.”
As a mitigation until reimaging can be performed, the company is recommending that customers perform a cold restart to remove the FireStarter implant. It says, “Shutting down, rebooting, and reloading CLI commands will not clear the malicious permanent implant; the power cord should be pulled out and plugged back into the device.”
Chinese hackers move from personally acquired infrastructure to secret networks
The disclosure comes as the US, UK and various international partners issued a joint advisory regarding a massive network of compromised SOHO routers and IoT devices designed to complicate efforts by China-Nexus threat actors to conceal and attribute their espionage attacks.
State-sponsored groups like Volt Typhoon and Flax Typhoon are using these botnets, which include home routers, security cameras, video recorders and other IoT devices, to target critical infrastructure areas and conduct cyber espionage in a “low-cost, low-risk, unacceptable way,” according to the alert.
Further complicating matters is the fact that networks are constantly updated, not to mention that multiple China-affiliated threat groups may be using the same botnet at the same time, making it challenging for defenders to identify and block them using static IP blocklists.
“The covert network mostly consisted of compromised SOHO routers, but they also pulled in any vulnerable devices they could exploit on a large scale,” the agencies said. “Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic area as the target.”
The findings outline a common pattern seen in state-sponsored attacks: targeting network perimeter devices belonging to residential, enterprise and government networks, either turning them into proxy nodes or intercepting sensitive data and communications.
