Firestarter survives Cisco firewall updates

A Cisco firewall is supposed to be the thing that keeps attackers out. This story is about what happens when the firewall itself becomes the foothold. Cisco Talos and CISA said in late April 2026 that a backdoor called FIRESTARTER can stick around on some Cisco Secure Firewall devices even after admins install the fixed software releases meant to stop the original intrusion. ### What actually changed? The new part is not just “attackers are hitting Cisco gear again.” Cisco and CISA are saying the ArcaneDoor operator — tracked by Talos as UAT-4356 — developed a persistence trick that survives upgrading to the fixed releases Cisco published in September 2025. CISA updated Emergency Directive 25-03 on April 23, 2026, because patching alone was no longer enough for already-compromised devices. ### What is FIRESTARTER? FIRESTARTER is a backdoor implanted on Cisco ASA and FTD appliances that run on FXOS-based hardware. Once in place, it gives the operator remote access and the ability to execute arbitrary code inside the LINA process — basically one of the core software components that handles firewall functions on these boxes. Talos also says the malware overlaps with capabilities seen in RayInitiator’s stage-3 shellcode, which ties this to the same broader tradecraft family. ### How did the attackers get in? Talos says UAT-4356 exploited two known vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — to gain unauthorized access to vulnerable devices. Those bugs were already serious enough that CISA issued an emergency directive back on September 25, 2025, and added them to the Known Exploited Vulnerabilities catalog. The catch is that fixing the entry point does not automatically evict malware that already landed. ### Why does the backdoor survive updates? Because the persistence sits below the normal place administrators think about patching. Talos says the attacker manipulated the Cisco Service Platform mount list — CSP_MOUNT_LIST — so FIRESTARTER gets executed during the device’s boot sequence. Cisco’s event response page says this persistence mechanism lives in the FXOS base operating system, which is why it can be preserved across upgrading ASA or FTD software to fixed releases. ### Does it survive every reboot? Not quite — and this detail matters. Talos describes the persistence as transient. During a graceful reboot, FIRESTARTER copies itself back into place, runs, then cleans up traces by restoring the original mount list and removing the trojanized copy from disk. But a hard reboot — for example, fully removing power from the device — effectively removes the implant. That is unusual enough that it changes the remediation playbook. ### Why is CISA involved so directly? Because at least one federal civilian agency had a compromised Cisco firewall, and the risk was high enough to justify an emergency directive. CISA’s April 23 update added new required actions and reporting for federal agencies, and Cisco’s own response page says the actor also expanded targeting beyond the earlier ASA 5500-X focus to devices running ASA or FTD software more broadly. That turns this from a niche appliance issue into a perimeter-security problem with wider blast radius. ### Why should non-federal organizations care? Because the lesson is bigger than one malware family. Perimeter appliances are trusted, highly privileged, and often under-monitored compared with servers and laptops. If an attacker can live in the firewall’s lower layers, normal patching and version checks can give a false sense of safety. That is exactly why Cisco and CISA are pushing not just upgrades, but compromise assessment, hunting, and device-specific cleanup steps. ### Bottom line This is a persistence story, not just a vulnerability story. The news is that FIRESTARTER can outlast the obvious fix on affected Cisco firewall platforms, which means defenders have to think like incident responders, not just patch managers. If a device was exposed before the fixes went in, “updated” may not mean “clean.”