Firestarter backdoor on Cisco firewalls survives reboots, patches, and firmware updates

CISA and the UK’s NCSC are warning about Firestarter, a custom ELF backdoor planted on Cisco Firepower and Secure Firewall appliances running ASA or FTD. The implant is attributed to UAT-4356, the cyberespionage cluster behind ArcaneDoor, and is reaching devices through CVE-2025-20333 (missing authorization) and CVE-2025-20362 (buffer overflow). In one federal agency intrusion traced to early September 2025, attackers first dropped the Line Viper shellcode loader to harvest VPN sessions, admin credentials, certificates, and private keys, then deployed Firestarter for long-term access.

Firestarter’s defining trait is persistence that outlives reboots, firmware upgrades, and security patches. It hooks into LINA, the core ASA process, registers signal handlers that reinstall the implant on graceful shutdowns, modifies the CSP_MOUNT_LIST boot file, hides a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores itself to /usr/bin/lina_cs. Operators reach it via crafted WebVPN requests gated by a hardcoded identifier, which then load attacker-supplied shellcode directly into memory.

Cisco’s guidance is blunt: reimage and upgrade to fixed releases, on both confirmed and suspected devices. Administrators can check exposure with ‘show kernel process | include lina_cs’; any output indicates compromise. A cold power-cycle will clear the implant but risks disk and database corruption, so it’s offered only as a fallback. CISA has published YARA rules for disk images and core dumps to help defenders hunt the backdoor at scale.