ACCORDING to the advisory, FIRESTARTER is a backdoor discovered on a federal Cisco Firepower device running ASA software, compromised in September 2025 to enable remote access and control. The backdoor is believed to be part of a “widespread” campaign by an advanced persistent threat to access Cisco ASA firmware by exploiting patched flaws such as CVE-2025-20333 and CVE-2025-20362. Cisco and the U.K.
National Cyber Security Centre assess that FIRESTARTER can persist on devices running ASA or Firepower Threat Defence, allowing threat actors to return after patches without re‑exploiting the vulnerabilities. Investigations find the threat group deployed LINE VIPER post‑exploitation tooling to enable commands, packet captures, VPN AAA bypass, and delayed reboots, with FIRESTARTER reportedly deployed before 25 September 2025 and active as recently as last month.
The malware can survive firmware updates and reboots by manipulating a startup mount list, and may install a hook in LINA to run arbitrary shell code supplied by the attackers. Cisco recommends reimaging and upgrading affected devices to fully remove the persistence, and, as a provisional mitigation, a cold restart is advised since shutdown and reboot commands will not clear the implant. The analysis notes that while patches addressed the two CVEs, devices compromised prior to patching may remain vulnerable.
The UAT4356 moniker (Storm-1849) is used by Cisco to describe the exploitation activity, with some attribution suggesting links to China, though origins are not confirmed. 24 April 2026