# CISA Discloses FIRESTARTER Backdoor on Federal Cisco Firepower Device _Saturday, April 25, 2026 at 10:06 PM EDT · Cybersecurity · Latest · Tier 1 — Major_ ![CISA Discloses FIRESTARTER Backdoor on Federal Cisco Firepower Device — Primary](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL39ca_K84pnKcPSv77aXouF3t3HCOjjL1zFVEdeDE64LiUxQ2Het8xQeTeO0JZRHZE56SbG87psVmhYCbSyu5PE3FZiHrAIzm0zp8nfGKk7XwVTUUjpeZ7zDEZwuJaQkZp6Cl20WF7qkWDAuaOQW5-OtTQ1ZvjW4xhHB9HrC2O-C6pPPnE94gLqp1GZrI/s1700-e365/cisco.jpg) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER is assessed to be a backdoor designed for remote access and control, deployed as part of a widespread campaign by an advanced persistent threat (APT) actor. The malware exploits now-patched security flaws including CVE-2025-20333 and CVE-2025-20362 to obtain access to Cisco ASA firmware. The malware can persist on devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. In the investigated incident, threat actors deployed a post-exploitation toolkit called LINE VIPER that can execute CLI commands, bypass VPN authentication, suppress syslog messages, and harvest user commands. A Linux ELF binary, FIRESTARTER lodges itself into the device's boot sequence by manipulating a startup mount list, ensuring it automatically reactivates after normal reboots. It attempts to install a hook within LINA, the device's core engine for network processing and security functions, enabling the execution of arbitrary shell code. Cisco is tracking the exploitation activity under the moniker UAT4356, also known as Storm-1849. The company strongly recommends reimaging and upgrading compromised devices using fixed releases, and notes that all configuration elements should be considered untrusted. As an interim mitigation, customers should perform a cold restart by physically removing and reinserting the power cord, as standard CLI reboot commands will not clear the implant. ## Sources - [The Hacker News](https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html) --- Canonical: https://techandbusiness.org/newswire/nboQQLUk2FOYJmEHhwwmsQ Retrieved: 2026-04-26T05:49:34.537Z Publisher: Tech & Business (techandbusiness.org)