New Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices

Summary

CISA and the UK NCSC jointly disclosed FIRESTARTER, a Linux-based ELF backdoor targeting Cisco Firepower and Secure Firewall devices. The malware exploits CVE-2025-20333 and CVE-2025-20362 to establish persistence via inline hooking, and critically, survives firmware updates and reboots unless the device undergoes a hard power cycle. The threat has been actively maintained by APT actors since at least September 2025, with recent access attempts detected as of March 2026.

Full text

Security MalwareNew Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices CISA and NCSC warn that FIRESTARTER, a Linux-based backdoor, targets Cisco Firepower devices, evades patches, and enables persistent access even after firmware updates. byDeeba AhmedApril 28, 20263 minute read The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released a joint malware analysis report on 23 April 2026 regarding a dangerous new threat- a Linux-based ELF file called FIRESTARTER. This malware is, reportedly, the current favourite of Advanced Persistent Threat (APT) actors as it allows them to maintain persistence on Cisco Firepower and Secure Firewall devices running firmware like Adaptive Security Appliance/ASA (software that handles basic firewall and VPN tasks) or Firepower Threat Defense/FTD (an advanced firewall system that combines multiple security features). Attack Details The agencies detected this campaign in early September 2025. As per their research, initial access was gained by exploiting two known vulnerabilities in Cisco ASA and FTD- CVE-2025-20333 (A buffer overflow vulnerability that lets hackers crash the system or run malicious code), and CVE-2025-20362 (A missing authorization flaw that lets a user reach restricted areas without permission). Attackers, then, deployed LINE VIPER, a post-exploitation implant to bypass authentication and set up illegitimate VPN sessions to control the network. FIRESTARTER was installed at this stage to serve as a backdoor. A specific sample of this malware was found on a compromised device under the filename lina_cs. “FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control… CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample named FIRESTARTER on the Firepower device,” the report (PDF) reads. This backdoor operates through inline hooking (a method where the malware intercepts a legitimate system function and redirects it to malicious code) within LINA, the central engine the device uses for network processing. This means the malware sits between the system and its instructions, modifying data in real-time. By modifying the XML Handler element table in the device’s memory, the hackers can intercept/modify normal operations to execute their own shellcode remotely whenever a specific request is sent to the device. Why is patching not enough A critical finding is that traditional security fixes are failing against FIRESTARTER because it “is not removed by firmware updates,” the agencies noted. This means that even if a company patches the original vulnerabilities, the persistence mechanism remains active. Also, FIRESTARTER can detect when it’s being shut down and reloads itself, so it can survive both reboots and system updates. In some cases that experts observed, the hackers used this access to return to compromised systems as recently as March 2026. “The malware achieves persistence by detecting termination signals and relaunching itself, and it can survive firmware updates and device reboots unless a hard power cycle occurs,” the report concludes. CISA and the NCSC are urging organisations to use YARA rules to scan their systems for signs of infection. To fully remove the threat, the agencies suggest a hard power cycle, which involves physically unplugging the device from all power sources for at least one minute to clear the malware from the volatile memory. CISA also updated Emergency Directive 25-03 with new instructions for federal agencies, requiring them to collect core dumps (snapshots of the device’s memory) and submit them for analysis to check for the presence of the lina_cs file. Expert’s Comments “Edge infrastructure should be treated as a long-term intelligence problem, not just patching. When attackers compromise internet-facing firewalls, they gain a high-value control point in the network. Persistence mechanisms like FIRESTARTER are dangerous because they can survive routine fixes and allow attackers to regain access later,” said Eli Woodward, Cyber Threat Intelligence Advisor at Team Cymru. “Organizations need continuous visibility into perimeter devices and external activity, since internal signs may appear only after the attacker is already established,” Eli cautioned. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts backdoorCiscoCyber AttackFirestarterfirewallLinuxMalwareVPN Leave a Reply Cancel reply View Comments (0) Related Posts Security Hacking News Privacy Surveillance Technology Hackers can hack your kid’s smartwatch and track their location With smartwatches designed especially for kids being available now, parents are enjoying full peace of mind as they… byCarolina Read More Crypto BlackBerry Security Crypto Industry Lost $685 Million in Q3 2023, 30% by Lazarus Group Immunefi Crypto Losses Report: Q3 2023 Sees Highest Losses of the Year. byWaqas Microsoft Privacy Security Microsoft is Collecting Your Encryption Keys, Here’s How to Delete it It is possible to prevent encryption keys from reaching Microsoft’s Servers – Learn how: It is a known… byRyan De Souza News Cyber Crime Phishing Scam Security Social Media Technology Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through… byWaqas

Indicators of Compromise

• malware — FIRESTARTER
• malware — LINE VIPER
• cve — CVE-2025-20333
• cve — CVE-2025-20362

Entities