CISA: Firestarter Backdoor Survives Cisco Patches on US Gov Firewalls
Federal agency confirmed breached via unpatched Cisco ASA flaws; only a hard power cycle removes the persistent implant redeploying months after initial patches.
WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive following the discovery of a Firestarter malware infection within a U.S. federal agency. The backdoor, part of the sophisticated "LineRunner" malware family, has demonstrated a terrifying capability: it survives standard firmware updates and software reboots on Cisco ASA and Firepower devices.
The breach underscores a significant evolution in the ArcaneDoor campaign, an operation attributed by Cisco Talos to the threat actor UAT-4356. Despite patches issued in September 2025, CISA warns that the implant can persist in a dormant state, redeploying its companion toolkit — Line Viper — as recently as March 2026.
Breach Audit: The Persistence Mechanism
The Firestarter malware targets core networking code, specifically injecting shellcode into LINA (Cisco’s core firewall process). The sophistication of the attack lies in its ability to manipulate the Cisco Service Platform mount list. When the system attempts to terminate or reboot, the malware copies itself to a secondary hidden location and rewrites the boot sequence to auto-restore upon startup.
Vulnerability Context: The ArcaneDoor Legacy
The initial access points for this campaign were two critical vulnerabilities patched in late 2025:
- CVE-2025-20333: A Remote Code Execution (RCE) flaw in the VPN web server.
- CVE-2025-20362: An unauthorized access vulnerability allowing attackers to bypass internal security controls.
CISA’s investigation into the federal agency breach revealed that while the agency had patched these flaws, the Firestarter implant had already been established. This mimics the supply chain compromise tactics used in other high-profile vendor breaches, where the vulnerability is merely the "door" and the persistent implant is the "resident."
The CyberSignal Analysis
Signal 01 — The Patching Paradox
Standard patching cycles assume that a clean firmware update replaces all malicious files. Firestarter proves this assumption wrong by modifying the low-level platform mount lists. This necessitates a shift in firewall security best practices — moving from "patch and reboot" to "patch, hard power cycle, and verify."
Signal 02 — Supply Chain Persistence
This campaign highlights the vulnerability of the network edge. When a vendor's primary security appliance becomes a persistent staging ground, the trust in the entire supply chain is compromised. Similar to the Citizens Financial vendor incident, the primary risk is no longer the data theft itself, but the long-term, unmonitored presence of state-sponsored actors like UAT-4356.
