CISA said a U.S. federal civilian agency’s Cisco Firepower ASA device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor, and that the malware persisted even after security patches were applied.
The agency, together with the United Kingdom National Cyber Security Centre (NCSC), attributes FIRESTARTER to a campaign that enables remote access and control and notes it targets Cisco ASA devices, with existing flaws CVE-2025-20333 and CVE-2025-20362 implicated in initial access and unauthenticated endpoint access.
According to the alert, LINE VIPER was used for post-exploitation before FIRESTARTER was deployed to maintain persistence, and FIRESTARTER can survive firmware updates unless a full power cycle is performed. The malware embeds a hook in the LINA network processing engine to execute attacker-supplied shellcode and deploy additional payloads, and it re-establishes itself by writing to reboot-persistent locations and recreating configuration files. CISA and the NCSC urge rapid patching, device inventory, and enhanced access controls, noting that FIRESTARTER persistence may remain even after patches.