Home / Technology / New Firestarter Malware Evades Cisco Firewall Updates
New Firestarter Malware Evades Cisco Firewall Updates
27 Apr
Summary
- Firestarter malware targets unpatched Cisco Firepower and Secure Firewall devices.
- Group UAT-4356 exploited CVE‑2025‑20333 and CVE‑2025‑20362 to deploy malware.
- CISA confirmed the exploitation impacted at least one federal agency.
Security professionals have identified a new custom malware, dubbed Firestarter, which specifically targets unpatched Cisco Firepower and Secure Firewall devices. This persistent threat is designed to survive reboots, security patches, and firmware updates, posing a significant risk to network defenses.
Cisco Talos reports that Firestarter operates on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The threat actor group UAT-4356, known for sophisticated attacks, is responsible for deploying this malware. Previously, this group exploited vulnerabilities CVE-2024-20353 and CVE-2024-20359.
In its latest campaign, UAT-4356 is leveraging two new flaws: CVE-2025-20333, a missing authorization issue, and CVE-2025-20362, a buffer overflow bug. These vulnerabilities are exploited to first introduce Line Viper, a user-mode shellcode loader, before deploying Firestarter itself.
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Firestarter has been exploited against at least one federal agency. The compromise occurred in early September 2025, prior to the agency implementing necessary patches, demonstrating the rapid exploitation of vulnerabilities.
Firestarter ensures its persistence by modifying the startup mount list, a technique that allows it to remain active even after device restarts. Cisco strongly recommends that organizations running affected Firepower and Secure Firewall devices re-image and upgrade their systems with the latest fixed releases to mitigate this threat.
