FIRESTARTER Backdoor Persists on Federal Cisco Devices After Patch Rollouts
U.S. CISA/NCSC warn that a federal Cisco Firepower ASA device was compromised in Sept 2025 by FIRESTARTER, a backdoor that survives firmware updates by hooking the LINA core and is used alongside the LINE VIPER post-exploitation toolkit to sustain remote access; the intrusion leveraged patched CVE-2025-20333 (authenticated remote code execution) and CVE-2025-20362 (unauthenticated access), and can endure normal reboots, requiring a full device reimage to fully remove. Cisco also recommends a cold restart (power cycle) to clear the implant and cautions that all configuration elements should be treated as untrusted until reimaging. Attribution hints at prior ArcaneDoor activity with possible China nexus, though origins remain uncertain.