Skip to content
You can now search across every topic, entity and event.What's new
FIRESTARTER
Technology

FIRESTARTER

UAT-4356's Cisco ASA/Firepower boot-sequence backdoor; survives all patches, removable only by power cycle.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

As edge-device persistence becomes the 2026 attack pattern, has FIRESTARTER made your patched Cisco firewall a liability?

Timeline for FIRESTARTER

#818 Jun
#78 Jun

VPN zero-day open a month pre-patch

Cybersecurity: Threats and Defences
#61 Jun
#414 May

Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire

Cybersecurity: Threats and Defences
#411 May
View full timeline →
Common Questions
How does FIRESTARTER survive Cisco firmware updates?
FIRESTARTER embeds itself in the device boot sequence and self-backs-up into non-volatile storage before any clean shutdown. This means every firmware update cycle, which involves a reboot, restores the implant rather than removing it. Only a hard power cycle with a full cold start removes it.Source: CISA/NCSC joint advisory AA26-113A
What is the only way to remove FIRESTARTER from a Cisco firewall?
A hard power cycle — physically unplugging the device to force a complete cold start. Reboots, firmware updates, and patch installations do not evict the implant because it reinstalls itself before the operating system loads.Source: CISA/NCSC advisory AA26-113A
Which Cisco products are affected by the FIRESTARTER backdoor?
Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances are the confirmed affected platforms. Initial access used CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362, patched September 2025.Source: CISA AR26-113A

Background

FIRESTARTER is a persistent backdoor deployed by the government-backed threat actor UAT-4356 on Cisco ASA and Firepower Threat Defense appliances. CISA and NCSC disclosed it in joint advisory AA26-113A on 24 April 2026 after an unnamed US federal agency was confirmed still hosting the implant in March 2026, six months after the September 2025 patches that were supposed to close the intrusion window.

FIRESTARTER achieves persistence by writing itself into the device boot sequence before any operating system or application loads. During every clean shutdown it self-backs-up into non-volatile storage, so routine reboots and firmware updates reinstall the implant rather than removing it. Activation uses a magic-packet primitive: a crafted WebVPN authentication request carrying a specific secret prefix byte triggers shellcode in memory, leaving no continuous outbound beacon for network telemetry to detect. The companion implant Line Viper establishes VPN sessions on the same appliances, bypassing VPN authentication policy. The only confirmed eviction method is a hard power cycle, which requires a physical site visit and a planned production outage.

FIRESTARTER has become the reference case for a broader 2026 edge-device persistence pattern. Check Point's Remote Access VPN (CVE-2026-50751, CVSS 9.3) was exploited for one month before a hotfix shipped, with CISA issuing an 11 June Deadline. Arista formally declined to patch CVE-2026-7473 in its EOS switch series, offering only ACL mitigations, making it the second 2026 KEV entry with a federal remediation Deadline but no vendor fix. Taken together, the three cases establish a structural dynamic: perimeter and edge devices across multiple vendors are proving difficult or impossible to remediate under routine patch cycles. FIRESTARTER's boot-sequence hook means the September 2025 patch cycle is retroactively a starting line for forensic audit, not a closure event. Every Cisco ASA or FTD device that was online during that window and has not been cold-audited carries an unresolved dwell risk regardless of current patch state.

FIRESTARTER is the name assigned by Cisco Talos to a boot-sequence backdoor targeting Cisco ASA and Firepower Threat Defense appliances, attributed to the government-backed threat actor UAT-4356. It was publicly disclosed in April 2026 via joint advisory AA26-113A from CISA and the UK's NCSC. The implant is notable for surviving conventional patching and requiring a hard power cycle for removal, setting a new operational bar for persistent firmware-level threats against enterprise network infrastructure.

More questions
What indicators of compromise should I look for to detect FIRESTARTER?
CISA's advisory lists the malicious process lina_cs and files at /usr/bin/lina_cs and /opt/Cisco/platform/logs/VAR/log/svc_samcore.log as IOCs. FIRESTARTER produces no continuous outbound beacon, so network telemetry alone is insufficient; device-side anomaly detection and cold-start memory snapshots are required.Source: CISA AR26-113A
Why is the 2026 edge-device persistence pattern significant for enterprise security teams?
FIRESTARTER, the Check Point VPN zero-day (CVE-2026-50751), and Arista's refusal to patch CVE-2026-7473 establish a common pattern: perimeter and edge devices from major vendors are being exploited for weeks or months before patches arrive, or are receiving no patch at all. For enterprise security teams this means patch-cadence assumptions are insufficient for perimeter devices; cold-start audits and network segmentation are now baseline requirements.Source: CISA KEV catalogue; CISA/NCSC AA26-113A
What is the difference between FIRESTARTER and Arista's CVE-2026-7473 in terms of remediation?
FIRESTARTER has a known remediation (hard power cycle) but no routine patch fixes it. Arista's CVE-2026-7473 has no patch at all: the vendor states a software fix would break existing configurations and offers only access-control list mitigations. Both carry federal CISA remediation deadlines, making them the two 2026 KEV entries with no conventional patch PATH.Source: CISA KEV catalogue; Arista advisory
Source Material