- Cisco Talos warns of Firestarter, new malware targeting unpatched Firepower and Secure Firewall devices
- The UAT‑4356 group exploited CVE‑2025‑20333 and CVE‑2025‑20362 to deploy Line Viper before abandoning Firestarter
- CISA confirmed exploitation against at least one federal agency
Security researchers have warned about Firestarter, a brand new custom malware that targets unpatched Cisco Firepower and Secure Firewall devices, persisting across reboots, security patches and even firmware updates.
Cisco Talos experts reported that Firestarter only works on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. It was built by a threat actor identified as UAT-4356, a group that Cisco has been warning about for at least two years now.
In mid-2024, Cisco said sophisticated threat actors with possible ties to Eastern nation states were exploiting two flaws in Cisco VPNs and firewalls to drop malware. The same group, also tracked as STORM-1849, abused two vulnerabilities at the time: CVE-2024-20353 and CVE-2024-20359.
Article continues below
Confirmation of violation
This time, they abuse a missing permission issue tracked as CVE-2025-20333 and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before removing Firestarter.
Line Viber is reportedly capable of executing CLI commands, capturing packets, bypassing VPN Authentication, Authorization, and Accounting (AAA) for actor devices, dropping syslog messages, stealing users’ CLI commands, and forcing a delayed device reboot.
For at least one Federal Civilian Executive Branch (FCEB) agency, devices were compromised in the time between the release of the patch and its deployment to devices:
“CISA has not confirmed the exact date of the initial exploitation but assesses that the compromise occurred in early September 2025, and before the agency implemented fixes pursuant to ED 25-03,” CISA said in its security advisory.
By modifying the mount list at startup, the malware ensures that it persists even after reboot.
Those using Firepower and Secure Firewall and looking for mitigations and workarounds should read Cisco’s security advisory here. The company said it “strongly recommends” reimagining and upgrading the device using the patched versions.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
