U.S. and U.K. cybersecurity agencies warn that a custom backdoor called Firestarter has been found persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD, allowing attackers continued access even after patches and reboots. Attributed to actor UAT-4356 and often preceded by Line Viper deployment, the implant exploits CVE-2025-20333 and/or CVE-2025-20362, hooks into the LINA process to inject shellcode via crafted WebVPN requests, and can be detected and mitigated using Cisco advisories, CISA YARA rules, or device reimaging. #Firestarter #LineViper #UAT-4356 #CVE-2025-20333 #CVE-2025-20362 #CiscoFirepower #ASA #FTD #CISA #NCSC #CiscoTalos
Keypoints
- Firestarter maintains persistence across reboots, firmware updates, and security patches on affected devices.
- The implant is attributed to threat actor UAT-4356 and is often deployed after Line Viper establishes VPN access and steals configuration data.
- Initial access is believed to be achieved via a missing authorization flaw (CVE-2025-20333) and/or a buffer overflow (CVE-2025-20362).
- Persistence is implemented by hooking the LINA process, modifying CSP_MOUNT_LIST, storing a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restoring /usr/bin/lina_cs.
- Cisco advises reimaging and upgraded releases for removal, administrators can check compromise with ‘show kernel process | include lina_cs’, and CISA published YARA rules for detection.