ACCORDING to CISA, at least one US federal agency was infected with the Firestarter backdoor through a vulnerable Cisco Firepower device, with the backdoor providing remote access and control and persisting beyond remediation. The campaign linked to ArcaneDoor involved zero-days in CVE-2025-20333 and CVE-2025-20362, which affected the VPN web server in ASA and Secure Firewall Threat Defense software, and Cisco later attributed the attacks to the state-sponsored actor UAT-4356.
CISA issued Emergency Directive 25-03 in September 2025 and updated its guidance in November to recommend additional mitigation actions, warning that patching devices does not remove the malware. The directive requires federal agencies to upload core dumps to the Malware Next Gen portal to verify compromise and perform remediation, with a deadline for checks and updates by 11:59 PM EST on 24 April 2026 and hard resets by 30 April 2026.
Cisco published an advisory on CVE-2025-20333 and CVE-2025-20362, noting that Firestarter can survive firmware updates and can be removed only through a reboot in some cases. The backdoor operates by installing a hook in Lina, enabling arbitrary shell code and deployment of Line Viper, and can be eradicated only if the device is properly rebooted.