Firestarter Backdoor Persists on Cisco Firewalls After Patching
U.S. and U.K. cybersecurity agencies warned that a previously undisclosed backdoor dubbed Firestarter compromised at least one unnamed U.S. Federal Civilian Executive Branch agency and may be part of a broader campaign targeting government and critical national infrastructure networks. The malware affects Cisco Secure Firewall devices running ASA or FTD software, and Cisco Talos linked the activity to threat cluster UAT-4356, which is assessed as likely government-backed. Investigators said the actor likely gained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362, then deployed the Line Viper shellcode loader before installing Firestarter.
Firestarter is notable for maintaining persistence even after reboots, firmware upgrades, and security patches by hooking into Cisco’s LINA process, altering boot and mount behavior, and relaunching if terminated. CISA, the UK NCSC, and Cisco published indicators of compromise, YARA-based memory analysis guidance, and mitigation advice, warning that software updates alone may not remove the implant. Cisco strongly recommended reimaging affected devices and upgrading to fixed releases, while authorities urged organizations to collect forensic evidence and report suspected compromises.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Samsung MagicINFO and D-Link DIR-823X flaws tied to Mirai activity
Active exploitation was also identified for Samsung MagicINFO 9 Server flaw CVE-2024-7399 and D-Link DIR-823X command injection flaw CVE-2025-29635. Reporting cited in the coverage linked both vulnerabilities to Mirai botnet activity.
SimpleHelp vulnerabilities used as precursors to ransomware attacks
Reporting cited by CISA indicated that the SimpleHelp flaws CVE-2024-57726 and CVE-2024-57728 had already been actively exploited, including as precursors to ransomware intrusions attributed to DragonForce. The two bugs can be chained to escalate privileges and achieve full server compromise.
CISA sets May 8 deadline for federal remediation or device removal
CISA directed Federal Civilian Executive Branch agencies to remediate the newly listed KEV vulnerabilities by May 8, 2026, and advised discontinuing use of the end-of-life D-Link DIR-823X if it could not be secured. The agency also urged organizations to apply vendor fixes, monitor for suspicious activity, and disconnect vulnerable SimpleHelp systems if mitigations were unavailable.
CISA adds four actively exploited flaws to the KEV catalog
On April 24, 2026, CISA added CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, CVE-2024-7399 in Samsung MagicINFO 9 Server, and CVE-2025-29635 in D-Link DIR-823X routers to its Known Exploited Vulnerabilities catalog. The agency cited evidence of active exploitation for all four vulnerabilities.
Cisco and CISA publish Firestarter mitigations and detection guidance
Alongside the Firestarter disclosure, Cisco and CISA released indicators of compromise, YARA-based detection guidance, and mitigation advice. Cisco strongly recommended reimaging affected devices and upgrading to fixed releases because the malware can survive reboots, updates, and patches.
CISA and NCSC disclose Firestarter malware campaign
On April 24, 2026, CISA and the U.K. NCSC publicly warned about the previously unknown Firestarter backdoor affecting Cisco ASA and FTD devices and said it had compromised at least one unnamed U.S. federal agency. The agencies assessed the activity could be part of a broader campaign targeting government and critical national infrastructure networks.
Cisco flaws exploited to breach a U.S. federal agency firewall
In an incident investigated by CISA and partners, a threat actor later tracked as UAT-4356 gained initial access to a U.S. Federal Civilian Executive Branch agency by exploiting CVE-2025-20333 and/or CVE-2025-20362 on a Cisco Firepower device running ASA software. The actor deployed the Line Viper shellcode loader and then installed the Firestarter backdoor.
Firestarter access persisted through March 2026 despite patching
In the federal civilian agency intrusion, attackers retained or regained access to the compromised Cisco ASA/FTD device through March 2026 even after patches were deployed. The case showed roughly six months of dwell time and demonstrated that Firestarter persistence could survive normal remediation short of hard power cycling or full reimaging.
Microsoft links ArcaneDoor activity to Storm-1849
Coverage of the Firestarter/ArcaneDoor campaign said Cisco Talos attributed the activity to UAT-4356 and that Microsoft tracks the same China-nexus actor as Storm-1849. This added a new attribution detail to the campaign affecting Cisco ASA and FTD devices.
Firestarter implant deployed on federal Cisco device by late September 2025
CISA said attackers had installed the Firestarter backdoor on a Cisco security appliance protecting a U.S. federal civilian agency before the end of September 2025. The intrusion also involved the Line Viper shellcode loader, with Firestarter used to maintain persistent access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Uncovering FIRESTARTER: Ongoing Cisco ASA Compromise Despite Patch Deployment | by Criminal IP | May, 2026 | OSINT Team
osintteam.blog
Open sourceDeep Dive into FIRESTARTER: Persistent Backdoor on Cisco ASA & Firepower Devices - SecPod Blog
secpod.com
Open sourceFIRESTARTER: Cisco ASA Backdoor - TheCyberThrone
thecyberthrone.in
Open sourceCISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attack
cybersecuritynews.com
Open sourceCISA, NCSC issue Firestarter backdoor warning • The Register
go.theregister.com
Open sourceFirestarter malware survives Cisco firewall updates, security patches
bleepingcomputer.com
Open sourceCISA Hunts for Cisco Backdoor Spotted on Federal Network
bankinfosecurity.com
Open sourceCisco firewalls at risk from Firestarter bug: CISA - SDxCentral
sdxcentral.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA warns Cisco firewall backdoor survives patching after federal agency breach
CISA disclosed that an unnamed U.S. federal civilian agency was breached through Cisco firewall vulnerabilities `CVE-2025-20333` and `CVE-2025-20362`, and investigators later found the **FIRESTARTER** backdoor and **Line Viper** malware on the affected devices. Authorities said the attackers, linked by Cisco Talos and allied agencies to **UAT-4356** and the earlier **ArcaneDoor** activity, maintained persistence on Cisco ASA and Firepower/FTD systems even after patches were applied, regained access months later without re-exploiting the original flaws, and used crafted VPN authentication-related requests to execute code and enable unauthorized VPN sessions that bypassed authentication controls. CISA, the U.K. National Cyber Security Centre, and other partners warned that patching alone may not evict the threat because FIRESTARTER can survive standard reboots and, in some cases, firmware updates if the device was compromised before remediation. The updated federal directive requires agencies to audit Cisco firewall infrastructure and submit memory snapshots, while Cisco and CISA urged stronger recovery steps such as hard reboots and reimaging where compromise is suspected. The disclosure came alongside a broader allied advisory that China-linked groups including **Volt Typhoon** and **Flax Typhoon** are increasingly using large covert proxy networks built from compromised SOHO routers and IoT devices—such as the **Raptor Train** and **KV Botnet** infrastructure—to hide intrusions, support espionage, and blunt traditional IP-based blocking defenses.
Apr 24, 2026
Exploitation of Cisco ASA and FTD Zero-Day Vulnerabilities by Storm-1849
Cisco confirmed that attackers have been actively exploiting two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These vulnerabilities allow attackers to execute arbitrary code as root and access restricted URLs without authentication, leading to device reloads and denial-of-service (DoS) conditions. The U.K. National Cyber Security Centre (NCSC) and Cisco have linked these exploits to malware campaigns involving RayInitiator and LINE VIPER, and have urged immediate patching. Security advisories highlight that unpatched devices are at risk of persistent compromise, and recommend comprehensive remediation steps including patching, forensic analysis, and resetting credentials. Threat intelligence reports attribute the exploitation campaign to the China-linked group Storm-1849 (ArcaneDoor), which targeted U.S. financial institutions, defense contractors, and military organizations throughout October. Despite public disclosure and patch directives from CISA, attacks continued, demonstrating the attackers' operational sophistication and persistence. Experts warn that organizations running unpatched ASA devices should assume compromise and prioritize forensic hunting for ROM-level malware, as well as implement robust monitoring and maintenance practices to mitigate ongoing risks.
Apr 25, 2026
Cisco ASA Zero-Days in ArcaneDoor Trigger U.S. Government Scrutiny
Cisco is facing U.S. government scrutiny after critical zero-day flaws in **ASA** and **Firepower Threat Defense** devices were tied to the **ArcaneDoor** espionage campaign and deemed an unacceptable risk to federal networks. CISA and the U.K. National Cyber Security Centre linked the activity to `CVE-2025-20333` and `CVE-2025-20362`, while earlier federal action had already added related Cisco flaws `CVE-2024-20353` and `CVE-2024-20359` to the Known Exploited Vulnerabilities catalog after active exploitation. Cisco said the campaign targeted a small set of customers, using the **Line Runner** and **Line Dancer** backdoors for reconnaissance, configuration changes, traffic capture, exfiltration, and possible lateral movement; external reporting and infrastructure analysis pointed to a likely China-aligned espionage actor, and internet scans suggested tens of thousands of Cisco firewall devices were exposed. The incident has drawn political attention in Washington, with Sen. Bill Cassidy seeking answers from Cisco on customer impact, breach notifications, and communications with federal agencies after reports that at least one federal agency may have been compromised. The response echoes earlier federal emergency actions over perimeter-device exploitation, including the 2021 campaign in which suspected Chinese hackers used **Pulse Secure** VPN vulnerabilities to breach multiple U.S. agencies, critical infrastructure entities, and private-sector organizations, deploying webshells and bypassing passwords and multifactor authentication. Together, the cases underscore continuing risk from internet-facing security appliances that can provide long-term access for state-backed espionage when zero-days remain unpatched.
May 25, 2026