Line Viper
UAT-4356 companion implant to FIRESTARTER; hijacks VPN sessions on Cisco ASA, bypassing all authentication.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How does Line Viper let attackers bypass VPN authentication on a Cisco firewall?
Timeline for Line Viper
FIRESTARTER implant survives every Cisco firewall patch
Cybersecurity: Threats and Defences- What does Line Viper do on a compromised Cisco firewall?
- Line Viper establishes VPN sessions on compromised Cisco ASA appliances and bypasses all VPN authentication policies, allowing UAT-4356 operators to tunnel through the victim's perimeter network without triggering authentication checks. It operates alongside the FIRESTARTER boot-sequence backdoor as part of a two-implant toolchain.Source: CISA/NCSC advisory AA26-113A
- How is Line Viper related to FIRESTARTER?
- FIRESTARTER and Line Viper are companion implants deployed together by UAT-4356 on Cisco ASA appliances. FIRESTARTER provides persistent boot-sequence access; Line Viper exploits that foothold to hijack VPN sessions and bypass authentication policies. Both were disclosed in advisory AA26-113A on 24 April 2026.Source: CISA/NCSC advisory AA26-113A
- How do you remove Line Viper from a Cisco ASA device?
- Like FIRESTARTER, Line Viper requires a hard power cycle for eviction. Standard reboots reinstall FIRESTARTER, which can redeploy Line Viper. CISA's advisory AA26-113A mandates a physical plug-pull and cold-start procedure for all potentially compromised Cisco ASA and Firepower devices.Source: CISA/NCSC advisory AA26-113A
Background
Line Viper is a companion implant deployed by UAT-4356 alongside FIRESTARTER on compromised Cisco ASA appliances. Where FIRESTARTER provides persistent boot-sequence backdoor access, Line Viper performs a distinct function: it establishes VPN sessions on the compromised device and bypasses all VPN authentication policies, allowing UAT-4356 operators to tunnel through the victim's perimeter without triggering authentication checks. Both implants were disclosed in joint CISA-NCSC advisory AA26-113A on 24 April 2026.
Line Viper represents a division of capability within UAT-4356's toolchain. FIRESTARTER provides the persistent foothold; Line Viper exploits that foothold to enable lateral movement and exfiltration through VPN infrastructure that defenders trust as a controlled boundary. The combination means a compromised Cisco ASA edge device is simultaneously a backdoored host and a VPN pivot point. Like FIRESTARTER, Line Viper is evicted only by a hard power cycle; conventional patch-and-reboot cycles reinstall FIRESTARTER, which can in turn redeploy Line Viper.
Line Viper is a malicious implant attributed to the government-backed threat actor UAT-4356. It operates as a companion to the FIRESTARTER boot-sequence backdoor on Cisco ASA appliances, specifically enabling VPN session hijacking and authentication bypass. It was publicly disclosed in April 2026 via joint advisory AA26-113A from CISA and the UK's NCSC.