Ethical Hacking News
A custom-built malware known as Firestarter has been found to persist on Cisco Firepower and Secure Firewall devices even after installing security patches. The backdoor was first detected in early September 2025 and has since evaded detection by multiple cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC). Despite this, organizations are urged to take immediate action to protect themselves against this persistent threat.
Cybersecurity experts have identified a custom malware known as Firestarter that evades detection on Cisco Firepower and Secure Firewall devices.The malware persists on these devices even after installing security patches, posing a significant threat to organizations using these systems.Firestarter exploits a vulnerability in the LINA process to maintain persistence across reboots, firmware updates, and security patches.The malware modifies an XML handler to inject shellcode into memory, creating a controlled execution path for attacker-supplied payloads.Cybersecurity agencies are urging organizations to take immediate action to protect themselves against this persistent backdoor, including reimaging and upgrading devices with the latest fixed releases.
Cybersecurity experts have been sounding the alarm about a custom malware known as Firestarter that has managed to evade detection on Cisco Firepower and Secure Firewall devices. Despite being attributed to a threat actor that has been tracked internally by Cisco Talos, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.K. National Cyber Security Center (NCSC) have confirmed that the malware persists on these devices even after installing security patches.
The Firestarter backdoor was first detected in early September 2025, with CISA observing the threat actor using Line Viper malware to establish VPN sessions and access configuration details on compromised Firepower devices. However, what is particularly concerning about this attack vector is that the Firestarter backdoor persists on these devices even after patching.
The persistence mechanism used by Firestarter exploits a vulnerability in the LINA, or core Cisco ASA process, hooking into it to maintain persistence across reboots, firmware updates, and security patches. According to Cisco Talos, this persistence mechanism is triggered when a process termination signal is received, known as a graceful reboot.
Furthermore, the Firestarter backdoor has been observed modifying an XML handler to inject shellcode into memory, creating a controlled execution path. This shellcode is triggered by a specially crafted WebVPN request that validates a hardcoded identifier and loads and executes attacker-supplied payloads directly in memory.
While CISA did not provide any details on the specific payloads observed in attacks, the agency has shared two YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump from a device. Cisco has also published a security advisory containing mitigations and workarounds for removing the persistence mechanism as well as indicators of compromise.
The vendor recommends reimaging and upgrading the device using the fixed releases, covering both compromised and non-compromised cases. However, this alternative is not recommended due to the risk of database or disk corruption leading to boot problems.
For administrators who cannot currently reimage the device, a cold restart (disconnecting the device power) can remove the malware. However, this approach carries significant risks as it may lead to boot problems.
In light of this developing threat, cybersecurity agencies are urging organizations that use Cisco Firepower and Secure Firewall devices to take immediate action to protect themselves against this persistent backdoor. This includes running the 'show kernel process | include lina_cs' command on affected devices to determine if they have been compromised, reimaging and upgrading the device using the latest fixed releases, and implementing additional security controls to prevent similar attacks in the future.
The emergence of this sophisticated malware highlights the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. As new vulnerabilities are discovered, it is essential for organizations to remain vigilant and proactive in their approach to security.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Firepower-Devices-Compromised-by-Persistent-Malware-A-Growing-Threat-to-Enterprise-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/
https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html
https://digitalwarfare.com/cisco-firewall-breach-shows-how-firestarter-malware-can-survive-patching-and-keep-attackers-inside-critical-networks/
Published: Fri Apr 24 17:31:12 2026 by llama3.2 3B Q4_K_M
