- Cisco Talos warns of Firestarter, a new malware targeting unpatched Firepower and Secure Firewall appliance
- The UAT-4356 group exploited CVE-2025-20333 and CVE-2025-20362 to implement Line Viper before Firestarter was dropped
- CISA confirmed exploitation against at least one federal agency
Security researchers have warned about Firestarter, a brand new custom-built malware that targets unpatched Cisco Firepower and Secure Firewall devices, persisting across reboots, security patches and even firmware updates.
Experts from Cisco Talos branded Firestarter works only on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now.
In mid-2024, Cisco said sophisticated threat actors with possible ties to Eastern nation states were exploiting two flaws in Cisco VPNs and firewalls to release malware. The same group, which is also being tracked as STORM-1849, exploited two bugs at the time: CVE-2024-20353 and CVE-2024-20359.
The article continues below
Confirmation of the breach
This time, they exploit a lack of authentication issue tracked as CVE-2025-20333 , and a buffer overflow bug tracked as CVE-2025-20362 , to first implement Line Viper (a user-mode shellcode loader) before dropping Firestarter.
Line Viber is said to be able to run CLI commands, capture packets, bypass VPN authentication, authorization and accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands and force a delayed device reboot.
For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the time between the patch being released and it being deployed on the devices:
“CISA has not confirmed the exact date of the first exploit, but estimates that the compromise occurred in early September 2025 and before the agency implemented patches in accordance with ED 25-03,” CISA said in its security advisory.
By tweaking the startup mount list, the malware ensures that it persists even after a reboot.
Those running Firepower and Secure Firewall and looking for remedies and solutions should read Cisco’s security advisory here. The company said it “strongly recommends” to reimage and upgrade the device using the fixed releases.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
