- Cisco Talos warns about Firestarter, new malware targeting unpatched Firepower and Secure Firewall devices
- The UAT-4356 group exploited the CVE-2025-20333 and CVE-2025-20362 flaws to implement Line Viper before abandoning Firestarter.
- CISA confirmed exploitation against at least one federal agency
Security researchers have warned about Firestarter, a new custom malware that targets unpatched Cisco Firepower and Secure Firewall devices and persists through reboots, security patches, and even firmware updates.
Cisco Talos experts noted that Firestarter only works on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. It was created by a threat actor tracked as UAT-4356, a group that Cisco has been warning about for at least two years.
In mid-2024, Cisco said sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and firewalls to remove malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359.
Article continues below.
Confirming non-compliance
This time, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first implement Line Viper (a user-mode shellcode loader), before abandoning Firestarter.
Line Viber was said to be able to execute CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed restart of the device.
For at least one Federal Civil Executive Branch (FCEB) agency, devices were compromised in the time period between the patch release and its deployment to devices:
“CISA has not confirmed the exact date of the initial exploitation, but assesses that the compromise occurred in early September 2025, and before the agency deployed patches in accordance with ED 25-03,” CISA said in its security advisory.
By modifying the startup mount list, the malware ensures that it persists even after reboot.
Those running Firepower and Secure Firewall and looking for mitigations and workarounds should read Cisco’s security advisory here. The company said it “strongly recommends” re-imaging and updating the device using the fixed versions.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
