Key Points
- Firestarter backdoor can persist after patching Cisco ASA/Firepower devices.
- Fix requires a **cold start**: unplug all power sources for one minute before reboot.
- Detection uses YARA rules and core‑dump analysis as per CISA guidance.
What is changing
Security researchers discovered the Firestarter backdoor that sits in Cisco ASA and Firepower firmware. It survives firmware updates and device reboots unless the device undergoes a full power cycle. The malware was inserted after exploiting CVE‑2025‑20333 and CVE‑2025‑20362 before the vendor released patches.
Cisco’s Talos notes the attacker group UAT‑4356, also called Storm‑1849, deployed a LineViper loader to install a VPN and then added Firestarter to maintain command‑and‑control links. The malicious code watches for termination signals and automatically restarts, hiding itself from standard discovery tools.
Why it matters
This issue is most critical for network security teams that manage Cisco ASA or Firepower appliances. Even after installing the latest patches, a compromised device can stay infected until the physical power cycle removes the malware from volatile memory. The risk is limited to environments that still run affected models – Firepower 1000, 2100, 4100, 9300, 1200, 3100, 4200 and Secure Firewall 1200, 3100, 4200 – but the damage can be extensive if attackers gain administrative credentials.
Admins should review audit logs for unexplained VPN sessions, run the provided YARA rules against core dumps or disk images, and perform the cold start procedure immediately if a compromise is suspected. Sharing deployment experiences or additional mitigation steps in the comments can help the community stay ahead of this threat.