29MAY

FIRESTARTER implant survives every Cisco firewall patch

3 min read

14:17UTC

CISA and NCSC named FIRESTARTER on 24 April: a UAT-4356 implant that hooks the Cisco ASA and Firepower boot sequence and clears only on a hard power cycle.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

FIRESTARTER survives every Cisco patch; only a hard power cycle evicts it.

CISA and the UK National Cyber Security Centre (NCSC) co-published joint advisory AA26-113A on Friday 24 April disclosing FIRESTARTER, a backdoor that embeds itself in the boot sequence of Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances and survives every patch and firmware update ¹. The implant was deployed by UAT-4356, the same government-backed actor behind 2024's ArcaneDoor campaign on Cisco edge devices. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a secret prefix wakes shellcode in memory, with no continuous beacon for network telemetry to catch. UAT-4356 chained CVE-2025-20333 at CVSS 9.9 with CVE-2025-20362 for the initial intrusion, both patched in September 2025.

The companion implant Line Viper rides VPN sessions on the same appliances and bypasses authentication policy entirely. NCSC's attribution muscle on this advisory carries the same authority used in earlier GRU and APT advisories, but the technical content here is a tier deeper: indicator hygiene cannot reach a backdoor that re-installs itself before clean shutdown. The advisory tells operators that only a hard power cycle evicts FIRESTARTER, which means a maintenance window, a physical site visit and a planned outage on a production firewall.

For any Chief Information Security Officer (CISO) running Cisco at the perimeter, the September 2025 patch cycle has been retroactively reclassified from a closure event to an opening one. Cisco accepts that UAT-4356 is government-backed but declines formal nation-state attribution, the same hedged language used after ArcaneDoor. The UK Cyber Security and Resilience Bill baseline now sits over any UK trust or operator running this stack, so 'patched on schedule' has been priced out as a regulatory defence at the same moment it has stopped being a technical one.

Deep Analysis

In plain English

Normally, if your computer or network device is hacked and you install a security update, the hack is removed. FIRESTARTER is a hack that specifically survives that process: it hides inside the startup code that runs before any software loads, and every time you reboot the device, even during a security update, it quietly reinstalls itself. The only way to remove it is to pull the power cable completely and let the device start from a total cold state. One US government agency did everything right, applied the patches on schedule, and was still infected six months later.

Deep Analysis

Root Causes

Cisco ASA and Firepower appliances run a trusted-boot architecture where firmware signing keys protect the OS loader but not every component of the pre-boot environment. The two chained CVEs (CVE-2025-20333 at CVSS 9.9 and CVE-2025-20362) provided UAT-4356 with sufficient privilege to write into the boot sequence before the OS enforces signing checks.

Cisco's WebVPN endpoint is exposed by design on production perimeter firewalls, making the magic-packet activation surface available to any network path that can reach the management plane.

A secondary structural cause is the patching model itself: security teams apply patches during scheduled maintenance windows that involve controlled reboots. FIRESTARTER exploits the reboot as the persistence mechanism. The very action meant to close the window is the action that restores the implant, which means no patch SLA tightening can address the dwell problem without adding device-level cold-start audit to the same maintenance procedure.

Escalation

FIRESTARTER represents an escalation from volatile-memory persistence (ArcaneDoor 2024) to boot-sequence persistence that survives every standard remediation action. The unnamed federal agency's six-month post-patch dwell signals operational maturity in the implant: UAT-4356 is confident of staying undetected long enough to amortise the capability across multiple intelligence objectives.

What could happen next?

Consequence
Cisco perimeter device owners must add cold-start power-cycle audit to all maintenance windows, converting patch compliance into a multi-step physical eviction procedure.
Immediate · 0.9
Risk
Any organisation whose Cisco ASA or Firepower device was online during the September 2025 patch window and was not cold-audited faces an unresolved dwell risk regardless of current patch state.
Short term · 0.85
Precedent
FIRESTARTER sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains and actor infrastructure even where the vendor (Cisco) declines formal nation-state attribution.
Medium term · 0.8
Consequence
Immutable-boot and hardware-rooted attestation product categories (TPM-anchored device integrity) gain procurement urgency at organisations with high-threat perimeter requirements.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2015 and 2017, NSA's TAO unit (later exposed via the Shadow Brokers leak) deployed BANANAGLEE and JETPLOW persistent implants against Cisco ASA appliances, hooking the persistent storage in ways that also survived firmware updates.

The operational shape is structurally identical: a government actor, a Cisco perimeter platform, persistence below the patch layer, activation via crafted packets. BANANAGLEE was disclosed via the Shadow Brokers dump in 2017, not via a joint CISA-NCSC advisory, and no remediation guidance was issued for six years.

Counter-parallel: Russia's 2019 VPNFilter campaign across Linksys, Netgear, and MikroTik SOHO routers also achieved boot-sequence persistence. However, FBI and DOJ obtained a court order within days to redirect the command-and-control domain, effectively neutralising the network before eviction, an option that does not exist for an implant activated via a local magic-packet rather than a centralised C2 beacon.

Consensus view: Cisco Talos and NCSC assess that FIRESTARTER represents a structural escalation beyond previous Cisco edge-device campaigns: where ArcaneDoor relied on volatile memory resident code that a standard reboot could clear, FIRESTARTER hooks the pre-OS boot sequence so that every clean-shutdown cycle becomes a reinstallation opportunity.

Recorded Future's Insikt Group notes that the magic-packet activation primitive is specifically designed to evade network telemetry, leaving no continuous outbound beacon for threat-feed correlation to catch.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) points out that boot-sequence persistence of this class has been known for industrial control systems since at least the 2015 UEFI-implant disclosures, and argues that Cisco's decision to deploy WebVPN authentication paths accessible from the public internet is the structural precondition. GReAT's prescribed remedy is perimeter segmentation and WebVPN access restriction, not device-eviction tooling.

Key tension: Whether FIRESTARTER's deployment is a targeted capability reserved for high-value perimeter devices or the leading indicator of a supply-chain-level compromise of the Cisco firmware signing chain.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

Signal, WhatsApp hit by three states

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 31 Mar 2026

Read story →

EU CRA guidance; German NIS2 missed

FIRESTARTER advisory applies directly to UK operators covered by the UK Cyber Security and Resilience Bill baseline established in ID:2556.

Occurred 3 Mar 2026

Read story →

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 16 Apr 2026

Read story →

UNC6780 takes Cisco AI Defense source code

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 11 May 2026

Read story →

UAT-8616 keeps Cisco SD-WAN under fire

UAT-8616's exploitation of CVE-2026-20182 continues the sustained campaign against Cisco edge devices documented with FIRESTARTER on 24 April, sharing ORB infrastructure.

Occurred 14 May 2026

Read story →

This Event

FIRESTARTER implant survives every Cisco firewall patch

Patching no longer establishes that a Cisco perimeter device is clean, which moves the CISO posture from indicator removal to physical eviction.

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.