The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced that a federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 by malware named FIRESTARTER.
FIRESTARTER is identified by CISA and the U.K.’s National Cyber Security Centre (NCSC) as a backdoor created for remote access and control. It is suspected to be part of a widespread campaign by an advanced persistent threat (APT) actor to gain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting security vulnerabilities such as:
- CVE-2025-20333 (CVSS score: 9.9) – An input validation vulnerability that could allow a remote attacker to execute code on an affected device.
- CVE-2025-20362 (CVSS score: 6.5) – A vulnerability that could allow an attacker to access restricted URL endpoints without authentication.
The malware has the ability to persist on Cisco devices running ASA or Firepower Threat Defense (FTD) software even after patching, enabling threat actors to regain access to compromised devices without exploiting vulnerabilities again.
In this specific incident, threat actors utilized a post-exploitation toolkit called LINE VIPER to execute commands, bypass VPN authentication, and maintain access to the compromised device.
FIRESTARTER, a Linux ELF binary, establishes persistence on the device and survives firmware updates and reboots. It embeds itself into the device’s boot sequence, ensuring it activates on every normal reboot. The malware shares similarities with a previously known bootkit named RayInitiator.
Cisco recommends reimaging and upgrading devices to fully remove the malware. Until reimaging is possible, customers are advised to perform a cold restart to eliminate the FIRESTARTER implant.
Chinese Hackers Transition to Covert Networks
A joint advisory from the U.S., the U.K., and international partners highlights large-scale networks of compromised SOHO routers and IoT devices utilized by China-affiliated threat actors for espionage purposes.
State-sponsored groups like Volt Typhoon and Flax Typhoon leverage these botnets to target critical infrastructure sectors in a covert and deniable manner. The constantly evolving networks make it challenging for defenders to block them effectively.
The use of compromised devices for cyber espionage underscores the importance of securing network perimeter devices to prevent unauthorized access and data interception.
