CISA reported that a federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by a Linux ELF backdoor named FIRESTARTER that can persist through firmware updates and normal reboots by altering the device boot sequence. The intrusion leveraged now-patched vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deliver FIRESTARTER alongside a post‑exploitation toolkit called LINE VIPER, enabling remote command execution, packet captures, VPN AAA bypass, and continued reaccess to compromised appliances. #FIRESTARTER #LINEVIPER
Keypoints
- FIRESTARTER is a persistent Linux ELF backdoor that embeds in the boot sequence and survives firmware updates and normal reboots.
- Attackers exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA/FTD devices to gain initial access.
- LINE VIPER is a post-exploitation toolkit that executes CLI commands, performs packet captures, bypasses VPN AAA, suppresses syslog, and harvests user commands.
- FIRESTARTER hooks the LINA process to run arbitrary shellcode and may require a cold power cycle or full reimage to remove.
- Cisco advises reimaging compromised ASA/FTD devices and treating configurations as untrusted while agencies link the campaign to broader APT activity and covert SOHO/IoT networks.
Read More: https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html