Which vulnerabilities are being exploited to deploy Firestarter malware?

The threat actor UAT-4356 is exploiting vulnerabilities CVE-2025-20333 and CVE-2025-20362 to deploy Line Viper, which then drops the Firestarter malware.

Has Firestarter malware impacted any government agencies?

Yes, the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Firestarter exploitation impacted at least one federal agency in early September 2025.

Home / Technology / New Firestarter Malware Evades Cisco Firewall Updates

New Firestarter Malware Evades Cisco Firewall Updates

Q: What is the new Firestarter malware?

Firestarter is a new custom-built malware that targets unpatched Cisco Firepower and Secure Firewall devices, designed to persist even after reboots and updates.

27 Apr

•

Summary

Firestarter malware targets unpatched Cisco Firepower and Secure Firewall devices.
Group UAT-4356 exploited CVE‑2025‑20333 and CVE‑2025‑20362 to deploy malware.
CISA confirmed the exploitation impacted at least one federal agency.

New Firestarter Malware Evades Cisco Firewall Updates

Security professionals have identified a new custom malware, dubbed Firestarter, which specifically targets unpatched Cisco Firepower and Secure Firewall devices. This persistent threat is designed to survive reboots, security patches, and firmware updates, posing a significant risk to network defenses.

Cisco Talos reports that Firestarter operates on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The threat actor group UAT-4356, known for sophisticated attacks, is responsible for deploying this malware. Previously, this group exploited vulnerabilities CVE-2024-20353 and CVE-2024-20359.