CISA Discloses FIRESTARTER Backdoor on Federal Cisco Firepower Device

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER is assessed to be a backdoor designed for remote access and control, deployed as part of a widespread campaign The malware can persist on devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. In the investigated incident, threat actors deployed a post-exploitation toolkit called LINE VIPER that can execute CLI commands, A Linux ELF binary, FIRESTARTER lodges itself into the device's boot sequence Cisco is tracking the exploitation activity under the moniker UAT4356, also known as Storm-1849. The company strongly recommends reimaging and upgrading compromised devices using fixed releases, and notes that all configuration elements should be considered untrusted. As an interim mitigation, customers should perform a cold restart