FIRESTARTER Backdoor Persists on Federal Cisco Devices After Patch Rollouts

April 25, 2026 at 02:12 AM

•

1 min read

FIRESTARTER Backdoor Persists on Federal Cisco Devices After Patch Rollouts — Photo: The Hacker News

TL;DR Summary

U.S. CISA/NCSC warn that a federal Cisco Firepower ASA device was compromised in Sept 2025 by FIRESTARTER, a backdoor that survives firmware updates by hooking the LINA core and is used alongside the LINE VIPER post-exploitation toolkit to sustain remote access; the intrusion leveraged patched CVE-2025-20333 (authenticated remote code execution) and CVE-2025-20362 (unauthenticated access), and can endure normal reboots, requiring a full device reimage to fully remove. Cisco also recommends a cold restart (power cycle) to clear the implant and cautions that all configuration elements should be treated as untrusted until reimaging. Attribution hints at prior ArcaneDoor activity with possible China nexus, though origins remain uncertain.

Topics:business #cisco #firepower #firestarter #line-viper #persistence #technology

Share this article

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches The Hacker News
V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices CISA (.gov)
US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor SecurityWeek
UAT-4356's Targeting of Cisco Firepower Devices Cisco Talos Blog
CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March The Record from Recorded Future News

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

88%

873 → 106 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights