New 'Firestarter' malware flames on in spite of Cisco firewall updates and security patches

Experts from Cisco Talos flagged Firestarter only works on devices running Adaptive Security Appliance (ASA), or Firepower Threat Defense (FTD) software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now.

In mid-2024, Cisco said that sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and firewalls to drop malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359.

Confirming the breach

This time around, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before dropping Firestarter.

Line Viber was said to be able to run CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed device restart.

For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the window of time between the patch being released, and being deployed on the devices:

“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” CISA said in its security advisory.

By tweaking the startup mount list, the malware makes sure it persists even after reboots.

Those running Firepower and Secure Firewall, and looking for mitigations and workarounds, should read Cisco’s security advisory here. The company said it “strongly recommends” reimaging and upgrading the device using the fixed releases.

Via The Hacker News