The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called FIRESTARTER.
FIRESTARTER, per CISA and the U.K.’s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access and control. It’s believed to be deployed as part of a “widespread” campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as –
- CVE-2025-20333 (CVSS score: 9.9) – An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests.
- CVE-2025-20362 (CVSS score: 6.5) – An improper validation of user-supplied input vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests.
“FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities,” the agencies said.
In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
A Linux ELF binary, FIRESTARTER can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs. The malware lodges itself into the device’s boot sequence by manipulating a startup mount list, ensuring it automatically reactivates every time the device reboots normally. The resilience aside, it also shares some level of overlap with a previously documented bootkit referred to as RayInitiator.
“FIRESTARTER attempts to install a hook – a way to intercept and modify normal operations – within LINA, the device’s core engine for network processing and security functions,” according to the advisory. “This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.”
“Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
