New 'Firestarter' malware flames on in spite of Cisco firewall updates and security patches

News
By published

Security pros warn of custom malware targeting Cisco firewalls

Cybersecurity
(Image credit: Shutterstock)
  • Cisco Talos warns of Firestarter, a new malware targeting unpatched Firepower and Secure Firewall device
  • UAT‑4356 group exploited flaws CVE‑2025‑20333 and CVE‑2025‑20362 to deploy Line Viper before dropping Firestarter
  • CISA confirmed exploitation against at least one federal agency

Security researchers have warned of Firestarter, a brand new custom-built malware which targets unpatched Cisco Firepower and Secure Firewall devices, persisting over reboots, security patches, and even firmware updates.

Experts from Cisco Talos flagged Firestarter only works on devices running Adaptive Security Appliance (ASA), or Firepower Threat Defense (FTD) software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now.

In mid-2024, Cisco said that sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and firewalls to drop malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359.

Article continues below

Confirming the breach

This time around, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before dropping Firestarter.

Line Viber was said to be able to run CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed device restart.

For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the window of time between the patch being released, and being deployed on the devices:

“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” CISA said in its security advisory.

By tweaking the startup mount list, the malware makes sure it persists even after reboots.

Those running Firepower and Secure Firewall, and looking for mitigations and workarounds, should read Cisco’s security advisory here. The company said it “strongly recommends” reimaging and upgrading the device using the fixed releases.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.