FIRESTARTER Backdoor

Summary

CISA and the UK's NCSC published a detailed malware analysis report on FIRESTARTER, a Linux-based backdoor deployed by APT actors on Cisco Firepower and Secure Firewall devices. The malware persists even after firmware patches for CVE-2025-20333 and CVE-2025-20362 are applied, and works in conjunction with LINE VIPER to maintain remote access and control. Organizations are urged to use provided YARA rules for detection, generate core dumps for analysis, and in confirmed compromise cases, perform hard power cycles to remove persistence.

Full text

Analysis Report FIRESTARTER Backdoor Release DateApril 23, 2026 Alert CodeAR26-113A Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. Note: The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions. The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. Key Actions for U.S. FCEB Agencies Collect and submit core dumps to CISA’s Malware Next Generation platform. Immediately report the submission via CISA’s 24/7 Operations Center; CISA will reach out with next steps. Take no additional action until CISA provides further guidance. Key Actions for All Other Organizations Use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device. Report any findings to CISA or the NCSC. If compromise is confirmed, conduct incident response actions. Intended Audience Organizations: Government and critical infrastructure organizations (Note: While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) Sector: Government Services and Facilities Sector Roles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators Introduction The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. For more information on this campaign, see CISA’s original version of Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices (released Sept. 25, 2025). CISA and the NCSC assess that FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. U.S. Federal Civilian Executive Branch (FCEB) agencies are required to implement the new required actions in CISA’s updated Emergency Directive (V1: ED 25-03). CISA and the NCSC urge other U.S. and U.K. organizations to use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device and report any findings to CISA or the NCSC. Organizations can also refer to Cisco’s Security Advisory and Talos Blog. Download the PDF version of this report: AR26-113A_MAR_FIRESTARTER_backdoor_ (PDF, 604.62 KB ) FIRESTARTER Collection CISA is authorized to monitor for, analyze, and notify U.S. FCEB agencies of anomalous or suspected malicious activity detected on federal networks. Through continuous monitoring, CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample—named FIRESTARTER—on the Firepower device. In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device. Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates. Threat Actor Activity Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See Appendix A: MITRE ATT&CK Techniques for tables mapping the cyber actors’ activity to MITRE ATT&CK tactics and techniques. CISA’s analysis identified the following: Initial Access: CISA assesses, but has not confirmed, that APT actors obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362 [T1190]. CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03. Privilege Escalation and Defense Evasion: CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [T1133] that bypassed all VPN authentication policies. This activity was associated with user accounts that existed but were no longer active within the agency [T1078]. Although this behavior was observed in this incident, threat actors may use other (including fabricated) accounts. LINE VIPER enabled APT actors access to all configuration elements of the victim Firepower device, including administrative credentials, certificates, and private keys [T1082]. Persistence: APT actors deployed FIRESTARTER on the Firepower device before Sept. 25, 2025 (exact date is unknown). Because it was present before patching, FIRESTARTER persisted through remediation and established command and control (C2) channels on the victim Firepower device [T1219]. APT actors leveraged FIRESTARTER to regain access without re-exploiting the original vulnerabilities and deployed LINE VIPER in March 2026. Malware Summary FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control. The malware achieves persistence by detecting termination signals and relaunching itself, and it can survive firmware updates and device reboots unless a hard power cycle occurs. FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER. Note: The file CISA obtained for analysis was named lina_cs; filenames may vary, as threat actors can easily modify the name of the malicious file. Malware Functionality Initialization Upon execution, FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the device [T1036.005] and copies its contents into memory. It then registers a callback function that triggers when the program receives any of the following termination-related signals [T1546.004]: SIGTERM SIGINT SIGQUIT SIGABRT SIGHUP SIGTSTP After copying itself into heap, and updating the signal handlers, the shell executor initiates the following sequential commands: rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chmod 755 /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chown‑reference=/opt/

Indicators of Compromise

• cve — CVE-2025-20333
• cve — CVE-2025-20362
• malware — FIRESTARTER
• malware — LINE VIPER

Entities