In September 2025, a U.S. civilian federal agency became the victim of a highly targeted network perimeter attack involving a compromised Cisco Firepower firewall running Adaptive Security Appliance (ASA) software. According to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC), the incident centered on a new stealthy backdoor dubbed FIRESTARTER, designed to persist on Cisco ASA and Firepower Threat Defense (FTD) devices.
Exploitation of Cisco ASA and FTD: From Known CVEs to a Stealth Backdoor
CISA and NCSC assess that FIRESTARTER is being deployed as part of a large-scale advanced persistent threat (APT) campaign targeting the firmware of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) platforms. The attackers initially leveraged already-patched vulnerabilities, including CVE-2025-20333 and CVE-2025-20362, previously observed in the ArcaneDoor campaign, to gain privileged access to exposed edge devices.
Cisco tracks this malicious activity under the identifier UAT4356 (Storm-1849). Analysis by the Censys platform in 2024 suggested potential links to operators aligned with China, although formal attribution remains inconclusive. In ArcaneDoor, the same threat actors deployed custom tooling to intercept network traffic and conduct covert reconnaissance inside victim networks, highlighting a clear focus on compromising perimeter security appliances as strategic footholds.
LINE VIPER Toolkit: Post-Exploitation Control of Cisco Firepower
After successful exploitation of vulnerable services, the attackers deployed a post-exploitation toolkit known as LINE VIPER to the compromised Cisco Firepower appliance. This toolkit provides extensive operational control, enabling the threat actor to:
— Remotely execute CLI commands on the device,
— Capture network packet traces for traffic inspection,
— Bypass VPN authentication, authorization and accounting (AAA) controls for attacker-owned devices,
— Suppress critical syslog messages to hinder detection,
— Intercept and monitor administrator-issued commands,
— Schedule delayed reboots of the firewall appliance.
This elevated access layer was then used as a conduit to deploy the more sophisticated and persistent FIRESTARTER implant. Investigators determined that the backdoor had been present on the device since at least 25 September 2025 and was actively used to maintain long-term access.
FIRESTARTER: Persistent Linux Implant for Cisco ASA and Firepower
FIRESTARTER is a Linux ELF binary engineered specifically for long-lived persistence on Cisco ASA and FTD devices. Unlike typical malware that disappears after a reboot, the implant:
— Survives standard reboots and routine firmware upgrades,
— Integrates into the device boot sequence by modifying mount configurations at startup,
— Automatically activates on every normal device restart.
The implant is only fully removed through a cold restart — a complete power-off and power-on cycle. Standard CLI commands such as reload, shutdown, or reboot are insufficient. Architecturally, FIRESTARTER shares characteristics with the previously documented bootkit RayInitiator, suggesting code reuse or common development practices across related malware families targeting network edge infrastructure.
Hooking the LINA Engine and WebVPN-Based Backdoor Activation
A critical aspect of FIRESTARTER’s design is its attempt to inject a hook into LINA, the core software engine responsible for packet processing and security functions on Cisco ASA devices. By intercepting normal LINA execution, the implant can introduce attacker-controlled logic and execute arbitrary shellcode.
According to CISA and Cisco, this mechanism allows APT operators to deliver and run arbitrary payloads, including reloading the LINE VIPER toolkit on demand. Cisco describes FIRESTARTER as a backdoor activated via specially crafted WebVPN authentication requests containing a so‑called “magic packet.” When LINA processes such requests, it triggers execution of the embedded malicious code.
Crucially, even after administrators apply the official patches for CVE-2025-20333 and CVE-2025-20362, any device already infected with FIRESTARTER remains compromised. Firmware updates do not automatically remove the implant, underscoring the need for deeper remediation steps than simple patching.
Cisco Guidance: Reimaging, Cold Restart and Configuration Hygiene
Cisco strongly recommends that organizations reimage and upgrade affected devices once compromise is suspected or confirmed, treating all configuration elements as potentially untrusted. This includes validating access lists, VPN profiles, AAA settings, and any custom scripts or scheduled tasks, restoring only from known-good, offline backups where possible.
Before full reimaging, Cisco advises performing a physical power cycle to evict the active FIRESTARTER implant from memory. Administrators must disconnect and reconnect the power cable; no CLI-based reload is sufficient. Only after a cold restart and subsequent reimage can organizations reasonably assume the device is free of the persistent backdoor.
Chinese SOHO Router and IoT Botnets: A Broader APT Strategy
The disclosure of technical details on FIRESTARTER coincides with a multinational warning from the U.S., UK and partners about large botnets built from compromised SOHO routers and IoT devices, allegedly leveraged by China-linked groups for operational cover and plausible deniability.
State-sponsored actors such as Volt Typhoon and Flax Typhoon are reported to assemble botnets from home routers, CCTV systems, DVRs and other poorly secured IoT equipment. These networks are then used to target critical infrastructure and conduct cyber-espionage under a “low-cost, low-risk, high-deniability” model.
Compounding the challenge, multiple Chinese APT groups may share the same proxy infrastructure, and new vulnerable devices are continuously added. Static IP blocklists quickly become outdated and have limited defensive value when used in isolation. Traffic from APT operators is frequently routed through chains of compromised SOHO routers acting as traversal nodes, with the final egress node often located in the same geographic region as the victim, complicating attribution and anomaly detection.
Together, the FIRESTARTER campaign and SOHO router botnets illustrate a clear strategic trend: state-sponsored groups are systematically targeting network edge devices — from consumer-grade routers to enterprise and government firewalls — to turn them into covert proxy infrastructure or long-term access points into sensitive environments. Organizations of all sizes should harden their perimeter by keeping Cisco ASA/FTD and SOHO router firmware current, performing regular cold restarts of suspicious devices, monitoring for anomalous VPN sessions and suppressed logging, and implementing network segmentation and Zero Trust principles. A structured audit of network appliances, combined with adherence to vendor and national CERT guidance, significantly reduces the likelihood that your infrastructure becomes part of an APT-controlled botnet or a persistent foothold like FIRESTARTER.
