CISA Issues Emergency Directive as Firestarter Backdoor
CISA Issues Emergency Directive as Firestarter Backdoor Haunts Cisco Cloud Firewalls
Last week, CISA and the UK NCSC warned that a state-sponsored threat group tracked as UAT-4356 has been actively deploying a sophisticated backdoor — dubbed Firestarter — against Cisco Firepower and ASA devices used as perimeter security in enterprise and cloud environments. The malware is so resilient that the only reliable removal method is physically unplugging the device from power.
How Firestarter Works
According to Cisco Talos, UAT-4356 gains initial access by exploiting two patched vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — in the WebVPN interface of Cisco ASA and Firepower Threat Defense (FTD) appliances. After deploying the Line Viper post-exploitation tool to bypass VPN authentication, the attackers implant Firestarter into the device’s boot sequence by manipulating the CSP_MOUNT_LIST.
Firestarter embeds itself in the LINA process — the core data plane of Cisco’s firewall software. It replaces a legitimate WebVPN XML handler with a malicious one that waits for specially crafted authentication requests carrying “magic bytes.” When the correct prefix pattern is detected, arbitrary shellcode executes directly in memory, providing on-demand remote access.
The Persistence Problem
What makes Firestarter particularly dangerous is its transient persistence mechanism. During a graceful reboot, the malware copies itself to a backup location (/opt/cisco/platform/logs/var/log/svc_samcore.log), updates the mount list, and restores itself before deleting all traces from disk. A normal reboot can therefore preserve the implant instead of removing it.
The only way to reliably remove the implant is a hard power cycle — physically cutting power to the device, which prevents the malware from executing its survival routine. Cisco still recommends reimaging and upgrading to a fixed software release afterward.
Indicators of compromise include a suspicious process called lina_cs and the presence of the file /usr/bin/lina_cs, though attackers can rename these.
CISA’s Emergency Directive
CISA issued Emergency Directive ED 25-03 requiring all US federal civilian agencies to:
- Identify all public-facing Cisco ASA/FTD platforms
- Collect device artifacts and core dumps for CISA’s Malware Next Generation (MNG) platform
- Apply patches for CVE-2025-20333 and CVE-2025-20362
- Avoid reboots, patching, or configuration changes before evidence collection to preserve volatile artifacts
Context: UAT-4356’s Track Record
UAT-4356 is not a newcomer. Cisco Talos first attributed the group to the ArcaneDoor campaign in early 2024, which used two zero-days to compromise Cisco ASA devices for espionage. Firestarter’s shellcode loading and execution mechanism shows considerable overlap with RayInitiator’s Stage 3 deployment, detailed in a joint NCSC advisory. The group is widely assessed as state-sponsored.
What Cloud and Security Teams Should Do
For organizations running Cisco firewalls in their cloud perimeters or on-premises edge:
- Patch immediately. Both CVEs were patched in late September 2025. If you haven’t applied these updates, assume compromise.
- Hunt for Firestarter. Look for
lina_csprocesses and the backup file at/opt/cisco/platform/logs/var/log/svc_samcore.log. Use Cisco’s official IOCs and detection guidance. - Don’t reboot before collecting evidence. A graceful restart triggers the malware’s persistence routine. Collect core dumps and memory artifacts first.
- If confirmed compromised, perform a hard power cycle. Unplug the device. Then reimage from scratch.
- Review VPN logs for unauthorized sessions. Line Viper bypasses VPN authentication policies — look for sessions that shouldn’t exist.
This is a textbook example of why perimeter devices running sensitive software need the same rigor as any other critical infrastructure. A firewall that can’t be trusted is worse than no firewall at all.