
FIRESTARTER
UAT-4356's Cisco ASA/Firepower boot-sequence backdoor; survives all patches, removable only by power cycle.
Last refreshed: 14 June 2026 · Appears in 1 active topic
As edge-device persistence becomes the 2026 attack pattern, has FIRESTARTER made your patched Cisco firewall a liability?
Timeline for FIRESTARTER
Mentioned in: 86,644 Fortinet logins become a hit list
Cybersecurity: Threats and DefencesVPN zero-day open a month pre-patch
Cybersecurity: Threats and DefencesMentioned in: WebLogic flaw revived as ransomware vector
Cybersecurity: Threats and DefencesMentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: UNC6780 takes Cisco AI Defense source code
Cybersecurity: Threats and DefencesHow does FIRESTARTER survive Cisco firmware updates?
What is the only way to remove FIRESTARTER from a Cisco firewall?
Which Cisco products are affected by the FIRESTARTER backdoor?
Background
FIRESTARTER is a persistent backdoor deployed by the government-backed threat actor UAT-4356 on Cisco ASA and Firepower Threat Defense appliances. CISA and NCSC disclosed it in joint advisory AA26-113A on 24 April 2026 after an unnamed US federal agency was confirmed still hosting the implant in March 2026, six months after the September 2025 patches that were supposed to close the intrusion window.
FIRESTARTER achieves persistence by writing itself into the device boot sequence before any operating system or application loads. During every clean shutdown it self-backs-up into non-volatile storage, so routine reboots and firmware updates reinstall the implant rather than removing it. Activation uses a magic-packet primitive: a crafted WebVPN authentication request carrying a specific secret prefix byte triggers shellcode in memory, leaving no continuous outbound beacon for network telemetry to detect. The companion implant Line Viper establishes VPN sessions on the same appliances, bypassing VPN authentication policy. The only confirmed eviction method is a hard power cycle, which requires a physical site visit and a planned production outage.
FIRESTARTER has become the reference case for a broader 2026 edge-device persistence pattern. Check Point's Remote Access VPN (CVE-2026-50751, CVSS 9.3) was exploited for one month before a hotfix shipped, with CISA issuing an 11 June Deadline. Arista formally declined to patch CVE-2026-7473 in its EOS switch series, offering only ACL mitigations, making it the second 2026 KEV entry with a federal remediation Deadline but no vendor fix. Taken together, the three cases establish a structural dynamic: perimeter and edge devices across multiple vendors are proving difficult or impossible to remediate under routine patch cycles. FIRESTARTER's boot-sequence hook means the September 2025 patch cycle is retroactively a starting line for forensic audit, not a closure event. Every Cisco ASA or FTD device that was online during that window and has not been cold-audited carries an unresolved dwell risk regardless of current patch state.
FIRESTARTER is the name assigned by Cisco Talos to a boot-sequence backdoor targeting Cisco ASA and Firepower Threat Defense appliances, attributed to the government-backed threat actor UAT-4356. It was publicly disclosed in April 2026 via joint advisory AA26-113A from CISA and the UK's NCSC. The implant is notable for surviving conventional patching and requiring a hard power cycle for removal, setting a new operational bar for persistent firmware-level threats against enterprise network infrastructure.