30APR

FIRESTARTER implant survives every Cisco firewall patch

3 min read

08:16UTC

CISA and NCSC named FIRESTARTER on 24 April: a UAT-4356 implant that hooks the Cisco ASA and Firepower boot sequence and clears only on a hard power cycle.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

FIRESTARTER survives every Cisco patch; only a hard power cycle evicts it.

CISA and the UK National Cyber Security Centre (NCSC) co-published joint advisory AA26-113A on Friday 24 April disclosing FIRESTARTER, a backdoor that embeds itself in the boot sequence of Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances and survives every patch and firmware update ¹. The implant was deployed by UAT-4356, the same government-backed actor behind 2024's ArcaneDoor campaign on Cisco edge devices. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a secret prefix wakes shellcode in memory, with no continuous beacon for network telemetry to catch. UAT-4356 chained CVE-2025-20333 at CVSS 9.9 with CVE-2025-20362 for the initial intrusion, both patched in September 2025.

The companion implant Line Viper rides VPN sessions on the same appliances and bypasses authentication policy entirely. NCSC's attribution muscle on this advisory carries the same authority used in earlier GRU and APT advisories, but the technical content here is a tier deeper: indicator hygiene cannot reach a backdoor that re-installs itself before clean shutdown. The advisory tells operators that only a hard power cycle evicts FIRESTARTER, which means a maintenance window, a physical site visit and a planned outage on a production firewall.

For any Chief Information Security Officer (CISO) running Cisco at the perimeter, the September 2025 patch cycle has been retroactively reclassified from a closure event to an opening one. Cisco accepts that UAT-4356 is government-backed but declines formal nation-state attribution, the same hedged language used after ArcaneDoor. The UK Cyber Security and Resilience Bill baseline now sits over any UK trust or operator running this stack, so 'patched on schedule' has been priced out as a regulatory defence at the same moment it has stopped being a technical one.

Deep Analysis

In plain English

Normally, if your computer or network device is hacked and you install a security update, the hack is removed. FIRESTARTER is a hack that specifically survives that process: it hides inside the startup code that runs before any software loads, and every time you reboot the device, even during a security update, it quietly reinstalls itself. The only way to remove it is to pull the power cable completely and let the device start from a total cold state. One US government agency did everything right, applied the patches on schedule, and was still infected six months later.

Deep Analysis

Root Causes

Cisco ASA and Firepower appliances run a trusted-boot architecture where firmware signing keys protect the OS loader but not every component of the pre-boot environment. The two chained CVEs (CVE-2025-20333 at CVSS 9.9 and CVE-2025-20362) provided UAT-4356 with sufficient privilege to write into the boot sequence before the OS enforces signing checks.

Cisco's WebVPN endpoint is exposed by design on production perimeter firewalls, making the magic-packet activation surface available to any network path that can reach the management plane.

A secondary structural cause is the patching model itself: security teams apply patches during scheduled maintenance windows that involve controlled reboots. FIRESTARTER exploits the reboot as the persistence mechanism. The very action meant to close the window is the action that restores the implant, which means no patch SLA tightening can address the dwell problem without adding device-level cold-start audit to the same maintenance procedure.

Escalation

FIRESTARTER represents an escalation from volatile-memory persistence (ArcaneDoor 2024) to boot-sequence persistence that survives every standard remediation action. The unnamed federal agency's six-month post-patch dwell signals operational maturity in the implant: UAT-4356 is confident of staying undetected long enough to amortise the capability across multiple intelligence objectives.

What could happen next?

Consequence
Cisco perimeter device owners must add cold-start power-cycle audit to all maintenance windows, converting patch compliance into a multi-step physical eviction procedure.
Immediate · 0.9
Risk
Any organisation whose Cisco ASA or Firepower device was online during the September 2025 patch window and was not cold-audited faces an unresolved dwell risk regardless of current patch state.
Short term · 0.85
Precedent
FIRESTARTER sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains and actor infrastructure even where the vendor (Cisco) declines formal nation-state attribution.
Medium term · 0.8
Consequence
Immutable-boot and hardware-rooted attestation product categories (TPM-anchored device integrity) gain procurement urgency at organisations with high-threat perimeter requirements.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2015 and 2017, NSA's TAO unit (later exposed via the Shadow Brokers leak) deployed BANANAGLEE and JETPLOW persistent implants against Cisco ASA appliances, hooking the persistent storage in ways that also survived firmware updates.

The operational shape is structurally identical: a government actor, a Cisco perimeter platform, persistence below the patch layer, activation via crafted packets. BANANAGLEE was disclosed via the Shadow Brokers dump in 2017, not via a joint CISA-NCSC advisory, and no remediation guidance was issued for six years.

Counter-parallel: Russia's 2019 VPNFilter campaign across Linksys, Netgear, and MikroTik SOHO routers also achieved boot-sequence persistence. However, FBI and DOJ obtained a court order within days to redirect the command-and-control domain, effectively neutralising the network before eviction, an option that does not exist for an implant activated via a local magic-packet rather than a centralised C2 beacon.

Consensus view: Cisco Talos and NCSC assess that FIRESTARTER represents a structural escalation beyond previous Cisco edge-device campaigns: where ArcaneDoor relied on volatile memory resident code that a standard reboot could clear, FIRESTARTER hooks the pre-OS boot sequence so that every clean-shutdown cycle becomes a reinstallation opportunity.

Recorded Future's Insikt Group notes that the magic-packet activation primitive is specifically designed to evade network telemetry, leaving no continuous outbound beacon for threat-feed correlation to catch.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) points out that boot-sequence persistence of this class has been known for industrial control systems since at least the 2015 UEFI-implant disclosures, and argues that Cisco's decision to deploy WebVPN authentication paths accessible from the public internet is the structural precondition. GReAT's prescribed remedy is perimeter segmentation and WebVPN access restriction, not device-eviction tooling.

Key tension: Whether FIRESTARTER's deployment is a targeted capability reserved for high-value perimeter devices or the leading indicator of a supply-chain-level compromise of the Cisco firmware signing chain.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

Signal, WhatsApp hit by three states

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 31 Mar 2026

Read story →

EU CRA guidance; German NIS2 missed

FIRESTARTER advisory applies directly to UK operators covered by the UK Cyber Security and Resilience Bill baseline established in ID:2556.

Occurred 3 Mar 2026

Read story →

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 16 Apr 2026

Read story →

This Event

FIRESTARTER implant survives every Cisco firewall patch

Patching no longer establishes that a Cisco perimeter device is clean, which moves the CISO posture from indicator removal to physical eviction.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.