How does FIRESTARTER survive Cisco firmware updates?: FIRESTARTER embeds itself in the device boot sequence and self-backs-up into non-volatile storage before any clean shutdown. This means every firmware update cycle, which involves a reboot, restores the implant rather than removing it. Only a hard power cycle with a full cold start removes it.Source: CISA/NCSC joint advisory AA26-113A
What is the only way to remove FIRESTARTER from a Cisco firewall?: A hard power cycle — physically unplugging the device to force a complete cold start. Reboots, firmware updates, and patch installations do not evict the implant because it reinstalls itself before the operating system loads.Source: CISA/NCSC advisory AA26-113A
Which Cisco products are affected by the FIRESTARTER backdoor?: Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances are the confirmed affected platforms. Initial access used CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362, patched September 2025.Source: CISA AR26-113A
What indicators of compromise should I look for to detect FIRESTARTER?: CISA's advisory lists the malicious process lina_cs and files at /usr/bin/lina_cs and /opt/Cisco/platform/logs/var/log/svc_samcore.log as IOCs. FIRESTARTER produces no continuous outbound beacon, so network telemetry alone is insufficient; device-side anomaly detection and cold-start memory snapshots are required.Source: CISA AR26-113A

Background

FIRESTARTER is a persistent backdoor deployed by the government-backed threat actor UAT-4356 on Cisco ASA and Firepower Threat Defense appliances. CISA and NCSC disclosed it in joint advisory AA26-113A on 24 April 2026 after an unnamed US federal agency was confirmed still hosting the implant in March 2026 — six months after applying the September 2025 patches that were supposed to close the intrusion window.

FIRESTARTER achieves persistence by writing itself into the device boot sequence — the code that runs before any operating system or application loads. During every clean shutdown it self-backs-up into non-volatile storage, so routine reboots and firmware updates reinstall the implant rather than removing it. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a specific secret prefix byte triggers shellcode in memory, leaving no continuous outbound beacon for network telemetry to detect. The companion implant Line Viper establishes VPN sessions on the same appliances, bypassing all VPN authentication policy. IOCs in the advisory include the malicious process lina_cs and files at /usr/bin/lina_cs. The only confirmed eviction method is a hard power cycle — physically pulling the power cable — which requires a maintenance window, a physical site visit, and a planned production outage.

FIRESTARTER represents a structural escalation from UAT-4356's 2024 ArcaneDoor implants, which used volatile-memory code that a standard reboot could clear. The boot-sequence hook means the September 2025 patch cycle is retroactively a starting line for forensic audit, not a closure event. Every Cisco ASA or FTD device that was online during that patch window and has not been cold-audited carries an unresolved dwell risk regardless of current patch state.

FIRESTARTER is the name assigned by Cisco Talos to a boot-sequence backdoor targeting Cisco ASA and Firepower Threat Defense appliances, attributed to the government-backed threat actor UAT-4356. It was publicly disclosed in April 2026 via joint advisory AA26-113A from CISA and the UK's NCSC. The implant is notable for surviving conventional patching and requiring a hard power cycle for removal, setting a new operational bar for persistent firmware-level threats against enterprise network infrastructure.

Source Material

AR26-113A: FIRESTARTER persistent implant advisory

How the World Sees Them

US federal agencies

CISA confirmed one unnamed federal agency hosted FIRESTARTER for six months post-patch. FISMA-regulated agencies must now treat patch compliance records as insufficient without cold-start device audit.

Enterprise CISOs globally

Any organisation running Cisco ASA or FTD at its network perimeter that was online during the September 2025 patch window faces an unresolved dwell risk. Patch SLA compliance and device cleanliness have structurally decoupled.

UK critical infrastructure operators

NCSC co-signed the advisory. Under the UK Cyber Security and Resilience Bill baseline, a patched device that has not been cold-audited cannot be presented as clean to incident-disclosure counsel.