INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

FIRESTARTER Exploited Backdoor Allows Unrestricted Access

| 2026-04-24 17:06 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat activity is a sophisticated and widespread campaign that has been ongoing since May 2024, with links to China. The attack involves compromised SOHO routers and IoT devices being commandeered by China-nexus threat actors to disguise espionage attacks and complicate attribution efforts. These networks are constantly updated, making it challenging for defenders to identify and block them using static IP blocklists. State-sponsored groups like Volt Typhoon and Flax Typhoon have been using these botnets to conduct cyber espionage in a "low-cost, low-risk" way. The threat actors have exploited now-patched security flaws such as CVE-2025-20333 and CVE-2025-20362, allowing them to maintain continued access and return to the compromised appliances. A Linux ELF binary called FIRESTARTER has been used to set up persistence on devices, making it difficult for defenders to remove the malware even after firmware updates are applied. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance software was compromised in September 2025 with FIRESTARTER malware. This highlights the need for organizations to stay vigilant, patch vulnerabilities promptly, and implement robust security measures to prevent similar attacks from occurring in the future.
Technical Mitigations AI-generated
* Implement a secure patching strategy for all Cisco devices running Adaptive Security Appliance (ASA) software, including CVE-2025-20333 and CVE-2025-20362 vulnerabilities. * Regularly update and patch Linux-based systems, especially those with vulnerable dependencies or configurations. * Use a web application firewall (WAF) to block malicious traffic attempts, such as crafted HTTP requests used by the Firestarter malware. * Implement a secure authentication mechanism for VPN connections, including proper validation of user-supplied input and use of AAA protocols like SSL/TLS. * Monitor network activity closely for signs of compromised devices or suspicious behavior, and take swift action if necessary to contain and remediate the issue.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
ArcaneDoorArcaneDoor Volt TyphoonVolt Typhoon VIPERVIPER CVE-2025-20362CVE-2025-20362 CVE-2025-30333CVE-2025-30333 CVE-2025-20333CVE-2025-20333
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎May 2024
Threat actors used a Firepower device to hit a Federal Cisco router.
target_region China
" The exact origins of the threat activity are not known, although an analysis from attack surface management platform Censys in May 2024 suggested links to China.
organisation Censys
" The exact origins of the threat activity are not known, although an analysis from attack surface management platform Censys in May 2024 suggested links to China.
organisation IP
Complicating matters further is the fact that the networks are constantly updated, not to mention multiple China-affiliated threat groups might use the same botnet at the same time, making it challenging for defenders to identify and block them using static IP blocklists.
organisation SOHO
The disclosure comes as the U.S., the U.K., and various international partners released a joint advisory about large-scale networks of compromised SOHO routers and IoT devices commandeered by China-nexus threat actors to disguise their espionage attacks and complicate attribution efforts.
organisation IoT
The disclosure comes as the U.S., the U.K., and various international partners released a joint advisory about large-scale networks of compromised SOHO routers and IoT devices commandeered by China-nexus threat actors to disguise their espionage attacks and complicate attribution efforts.
threat_actor Volt Typhoon
State-sponsored groups like Volt Typhoon and Flax Typhoon have been using these botnets, consisting of home routers, security cameras, video recorders, and other IoT devices, to target critical infrastructure sectors and conduct cyber espionage in a "low-cost, low-risk, deniable way," per the alert.
organisation Cisco Secure ASA
"In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted.
organisation FTD
"In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted.
‎2025/04/24
Threat actors used a previously unknown backdoor in Cisco Firepower devices to target the affected Federal entities.
‎2025/08/26
Threat actors used LINE VIPER to deploy the FIRESTARTER backdoor on a Federal Cisco Firepower device before September 25, 2025.
malware VIPER
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
organisation FIRESTARTER
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
organisation Firepower
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
‎September 25, 2025
Threat actors used Cisco Firepower to target a vulnerable device, which they exploited with the UAT4356 backdoor FIRESTARTER.
malware VIPER
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
organisation FIRESTARTER
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
organisation Firepower
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
attribution CISA
CISA said FIRESTARTER was deployed on the exploited Cisco device before September 25, 2025 but the exact date is unknown.
infrastructure Linux
A Linux ELF binary, FIRESTARTER can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs.
organisation Linux ELF
A Linux ELF binary, FIRESTARTER can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs.
organisation RayInitiator
The resilience aside, it also shares some level of overlap with a previously documented bootkit referred to as RayInitiator.
organisation Storm-1849
" Cisco, which is tracking the exploitation activity associated with the two vulnerabilities under the moniker UAT4356 (aka Storm-1849), described FIRESTARTER as a backdoor that facilitates the execution of arbitrary shellcode received by the LINA process by parsing specially crafted WebVPN authentication requests containing a "magic packet.
‎September 2025
Threat actors used a backdoor called FIRESTARTER to compromise Cisco Firepower devices running Adaptive Security Appliance software.
attribution Cisco Firepower
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called FIRESTARTER .
attribution Adaptive Security Appliance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called FIRESTARTER .
organisation APT
It's believed to be deployed as part of a "widespread" campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as - CVE-2025-20333 (CVSS score: 9.9) -
organisation Cisco Adaptive Security Appliance
It's believed to be deployed as part of a "widespread" campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as - CVE-2025-20333 (CVSS score: 9.9) -
organisation CVE-2025-20362
CVE-2025-20362 (CVSS score: 6.5) -
organisation CLI
In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
organisation VPN Authentication
In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
organisation AAA
In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
‎March 2026
FIRESTARTER was exploited to maintain access to a compromised Cisco Firepower device.
‎2026/04/24
The US federal agency was successfully targeted by a previously unknown backdoor malware called Firestarter.
organisation SOHO
Ten countries, including those in the Five Eyes alliance, were involved in the second warning of its kind in recent weeks, once again claiming that China was building covert networks, such as recruiting consumer-grade SOHO routers, to launch cyberattacks on adversaries.
threat_actor Volt Typhoon
That advisory specifically discusses tactics used by Volt Typhoon and Flax Typhoon — two Chinese groups previously identified for their attacks on the U.S. government and critical infrastructure.
organisation CVE-2025-20333
In September, Cisco published a lengthy study on CVE-2025-20333 and CVE-2025-20362, assessing with high confidence that the campaign is tied to the same hackers behind the ArcaneDoor campaign discovered in 2024 .
organisation CVE-2025-20362
Devices that were compromised before defenders patched CVE-2025-20333 and CVE-2025-20362 are still vulnerable because of FIRESTARTER.
organisation FIRESTARTER
Devices that were compromised before defenders patched CVE-2025-20333 and CVE-2025-20362 are still vulnerable because of FIRESTARTER.
organisation CVE-2025
Devices that were compromised before defenders patched CVE-2025-20333 and CVE-2025-20362 are still vulnerable because of FIRESTARTER.
infrastructure 9.9
The findings this week are an update to CISA's earlier advisory , warning of other attacks on Cisco products, ones that exploited CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5).
infrastructure 6.5
The findings this week are an update to CISA's earlier advisory , warning of other attacks on Cisco products, ones that exploited CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5).
organisation ASA
ASA is a popular product line among governments and large businesses because it consolidates several different security tasks into a single appliance.
organisation Cisco Secure Firewall Adaptive Security Appliance
Described as a backdoor with remote access capabilities, Firestarter was named after Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD), the two products the malware targeted.
organisation Cisco Secure Firewall Threat Defense
Described as a backdoor with remote access capabilities, Firestarter was named after Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD), the two products the malware targeted.
organisation YARA
All organizations are advised to use YARA rules while carrying out memory analysis from device core dumps or disk images.
‎May 1
Cisco Firepower devices will be impacted by the FIRESTARTER backdoor threat.
attribution Cisco Firepower
Federal agencies have to submit confirmation of the malware checks by midnight on Friday and by May 1, all agencies will have to provide an inventory of Cisco Firepower devices.
‎August 1
The Federal Cisco Firepower device was compromised by threat actors using a backdoor to survive security patches.
attribution CISA
CISA will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1.
attribution White House
CISA will provide a report on the campaign to the National Cyber Director and other White House leaders by August 1.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
A Linux ELF binary, FIRESTARTER can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs.
Metrics
infrastructure
‎9.9
Software Version
The findings this week are an update to CISA's earlier advisory , warning of other attacks on Cisco products, ones that exploited CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5).
Metrics
infrastructure
‎6.5
Software Version
The findings this week are an update to CISA's earlier advisory , warning of other attacks on Cisco products, ones that exploited CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5).
Intelligence Sources
TheRecord 2026-04-23
The Register - Cybercrime 2026-04-24
The Hacker News 2026-04-24