Persistent FIRESTARTER Malware Identified in Cisco Secure Firewall and Firepower Devices

The purpose of this alert is to highlight newly disclosed information relating to persistent malware associated with the historical exploitation of CVE‑2025‑20333 and CVE‑2025‑20362 in Cisco Secure Firewall and Firepower devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

CVE‑2025‑20333 is rated Critical by Cisco. CVE‑2025‑20362 is rated Medium, with Cisco citing no direct impact to availability; however, the U.S. National Vulnerability Database (NVD) assigns a High CVSS score based on potential availability impact in broader exploitation scenarios.

Although these vulnerabilities were publicly disclosed and patches were released in September 2025, subsequent Cisco analysis, supported by findings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) has confirmed that devices compromised prior to patching may remain compromised even after upgrading to fixed releases. The malware, tracked as FIRESTARTER, enables persistent, unauthorised access without the need to re‑exploit the original vulnerabilities.

On 23 April 2026, Cisco released an informational advisory describing a previously undocumented persistence mechanism used by the threat actor associated with the ArcaneDoor campaign, tracked by Cisco as UAT‑4356. This persistence mechanism resides within the Cisco Firepower eXtensible Operating System (FXOS) and survives software upgrades applied after the September 2025 vulnerability disclosures.

The Australian Cyber Security Centre (ACSC) has acknowledged the updated threat information and advised Australian organisations to follow Cisco’s guidance and check for published indicators of compromise (IoCs).

FIRESTARTER Malware

Vendor analysis has identified the malware implant as FIRESTARTER, which:

• Executes within the LINA process on affected ASA and FTD devices
• Runs as a malicious process named lina_cs
• Allows execution of attacker‑supplied code
• Establishes persistence through FXOS boot mechanisms
• Survives standard reloads, reboots, and software upgrades

Importantly, while upgrading to fixed software versions prevents new exploitation of CVE‑2025‑20333 and CVE‑2025‑20362, patching alone does not remove FIRESTARTER on devices that were compromised prior to remediation.

Affected Platforms

Successful exploitation resulting in a persistent FIRESTARTER implant compromises the trust boundary of affected Cisco Secure Firewall and Firepower devices.

If present, the malware enables a threat actor to maintain ongoing, unauthorised access to a network perimeter device, which may allow:

• Execution of attacker‑supplied code within the firewall context
• Long‑term monitoring or manipulation of network traffic traversing the device
• Abuse of the appliance as a staging point for further intrusion into internal networks
• Re‑establishment of access after remediation efforts that rely on patching or standard reboots

Because affected devices typically operate with elevated privileges and are positioned at critical network boundaries, compromise may undermine the confidentiality and integrity of network traffic and security controls reliant on the appliance.

• No output: IoC not observed
• Any output: Device should be treated as compromised 

Additional investigation may include collection of diagnostic outputs such as show tech-support detail and memory analysis, consistent with vendor guidance. The ACSC advises organisations to use the IoCs published by Cisco and follow vendor‑provided investigation guidance.

If FIRESTARTER Is Not Detected

• Ensure devices are running software releases that remediate the September 2025 vulnerabilities and subsequent persistence issue
• Continue monitoring and centralised log collection
• Review authentication and management access controls

If FIRESTARTER Is Detected

If the IoC is present, the device must be considered untrusted.

Cisco advises that full remediation requires:

1. Complete reimaging of the device, including FXOS
2. Upgrade to a fixed software release specified by Cisco
3. Reconfiguration from known‑good backups
4. Rotation of credentials, certificates, and keys associated with the device

Cisco notes that a cold power removal (unplugging the device from power) may interrupt the persistence mechanism but does not recommend this as a substitute for reimaging as it may cause data corruption. Organisations should follow Cisco guidance to ensure integrity is restored. 

Where malware is identified, organisations should manage the issue in accordance with their established incident response processes. While U.S. government agencies are subject to separate directives, the technical findings and vendor guidance are applicable more broadly.

References

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/new-steps-for-organisations-running-cisco-firepower-and-secure-firewall-products

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03

• https://blog.talosintelligence.com/uat-4356-firestarter/

• https://www.cisa.gov/news-events/analysis-reports/ar26-113a/

• https://www.triskelelabs.com/blog/vulnerabilities-affecting-cisco-asa-5500-x-series-devices