FIRESTARTER backdoor persists on Cisco firewalls after patching

Threat summary

On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre reported on a previously unknown backdoor, FIRESTARTER.

The backdoor was identified during forensic investigation of suspicious activity on Cisco firewall infrastructure used by a U.S. federal civilian agency. Its persistence mechanism survived installation of Cisco security updates released in September 2025, meaning affected devices may remain compromised unless remediation extends beyond routine patching.

The threat actor targeted Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) platforms, which are commonly deployed as network perimeter firewalls and VPN gateways. These devices routinely process sensitive network traffic, authenticate remote users, and enforce security policy at the network edge.

Initial access was gained by exploiting two previously disclosed vulnerabilities:

• CVE-2025-20333, a remote code execution flaw with a CVSS score of 9.9
• CVE-2025-20362, an authentication bypass flaw with a CVSS score of 6.5

Cisco released updates for both vulnerabilities in September 2025.

FIRESTARTER is a Linux‑based implant that embeds itself within Cisco firewall systems and provides unauthorized remote access by running inside the LINA process, which handles core packet‑processing and security functions on ASA and FTD platforms. The threat actors enabled this access by modifying the CSP_MOUNT_LIST, a Cisco boot‑sequence configuration, ensuring the malware would automatically run during normal system startup.

This approach allowed the implant to reactivate during routine, software‑initiated reboots and persist through standard updates, all while appearing consistent with expected device behavior.

However, its persistence depends on the system receiving an orderly reboot signal, which gives the implant a chance to restore itself. As a result, a hard reboot, such as physically unplugging and restarting the device, breaks the persistence and removes the implant.

Cisco attributes this activity to a threat actor it tracks as UAT-4356, which has previously been associated with the Chinese state actors targeting network perimeter devices.

Analysis

Organizations should immediately apply Cisco updates for CVE‑2025‑20333 and CVE‑2025‑20362 across all Firepower devices, as these vulnerabilities are used as the initial vector used to deploy the FIRESTARTER implant. Prompt patching reduces the attacker’s ability to re‑enter the environment or compromise additional devices. Security teams should also check for indicators of compromise, including unexpected or modified files at `/usr/bin/lina_cs` or `/opt/cisco/platform/logs/var/log/svc_samcore.log`, as well as anomalous output from `show kernel process | include lina_cs`, which may reveal unauthorized execution. Early detection is critical because the implant operates within core security processes and can evade traditional monitoring.

Any device confirmed to be infected must be reimaged, which Cisco identifies as the only reliable remediation method to fully restore system integrity. On non‑lockdown FTD systems, administrators may be able to stop the `lina_cs` process to remove the active implant, but this is only a temporary measure; a full reimage is still required to ensure complete eradication and prevent reinfection. These steps are essential because a compromised firewall provides attackers with privileged, covert access to the network perimeter, making rapid containment and thorough remediation vital to reducing operational and security risk.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up