CISA and the UK NCSC have identified the FIRESTARTER backdoor, a persistent malware strain targeting Cisco ASA and Firepower devices that survives standard firmware updates and security patches.

Key Points

• FIRESTARTER exploits vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain initial remote access and control over Cisco network appliances.
• The malware functions as a Linux ELF implant that hooks into the LINA network processing engine to execute arbitrary shellcode.
• Attackers use the LINE VIPER post-exploitation tool alongside FIRESTARTER to maintain long-term persistence within compromised federal and enterprise systems.
• The backdoor remains active after patching, requiring organizations to reimage affected devices or perform specific process terminations to fully remove the threat.
• CISA issued Emergency Directive 25-03, urging agencies to use provided YARA rules to scan disk images and core dumps for signs of infection.

Why it Matters

This discovery highlights a critical security gap where traditional patching fails to remediate advanced persistent threats that embed themselves deep within network infrastructure. Organizations must move beyond simple updates and implement rigorous forensic auditing to ensure that sophisticated backdoors are not maintaining unauthorized access to their edge devices.