7JUN

FIRESTARTER implant survives every Cisco firewall patch

3 min read

10:08UTC

CISA and NCSC named FIRESTARTER on 24 April: a UAT-4356 implant that hooks the Cisco ASA and Firepower boot sequence and clears only on a hard power cycle.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

FIRESTARTER survives every Cisco patch; only a hard power cycle evicts it.

CISA and the UK National Cyber Security Centre (NCSC) co-published joint advisory AA26-113A on Friday 24 April disclosing FIRESTARTER, a backdoor that embeds itself in the boot sequence of Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances and survives every patch and firmware update ¹. The implant was deployed by UAT-4356, the same government-backed actor behind 2024's ArcaneDoor campaign on Cisco edge devices. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a secret prefix wakes shellcode in memory, with no continuous beacon for network telemetry to catch. UAT-4356 chained CVE-2025-20333 at CVSS 9.9 with CVE-2025-20362 for the initial intrusion, both patched in September 2025.

The companion implant Line Viper rides VPN sessions on the same appliances and bypasses authentication policy entirely. NCSC's attribution muscle on this advisory carries the same authority used in earlier GRU and APT advisories, but the technical content here is a tier deeper: indicator hygiene cannot reach a backdoor that re-installs itself before clean shutdown. The advisory tells operators that only a hard power cycle evicts FIRESTARTER, which means a maintenance window, a physical site visit and a planned outage on a production firewall.

For any Chief Information Security Officer (CISO) running Cisco at the perimeter, the September 2025 patch cycle has been retroactively reclassified from a closure event to an opening one. Cisco accepts that UAT-4356 is government-backed but declines formal nation-state attribution, the same hedged language used after ArcaneDoor. The UK Cyber Security and Resilience Bill baseline now sits over any UK trust or operator running this stack, so 'patched on schedule' has been priced out as a regulatory defence at the same moment it has stopped being a technical one.

Deep Analysis

In plain English

Normally, if your computer or network device is hacked and you install a security update, the hack is removed. FIRESTARTER is a hack that specifically survives that process: it hides inside the startup code that runs before any software loads, and every time you reboot the device, even during a security update, it quietly reinstalls itself. The only way to remove it is to pull the power cable completely and let the device start from a total cold state. One US government agency did everything right, applied the patches on schedule, and was still infected six months later.

Deep Analysis

Root Causes

Cisco ASA and Firepower appliances run a trusted-boot architecture where firmware signing keys protect the OS loader but not every component of the pre-boot environment. The two chained CVEs (CVE-2025-20333 at CVSS 9.9 and CVE-2025-20362) provided UAT-4356 with sufficient privilege to write into the boot sequence before the OS enforces signing checks.

Cisco's WebVPN endpoint is exposed by design on production perimeter firewalls, making the magic-packet activation surface available to any network path that can reach the management plane.

A secondary structural cause is the patching model itself: security teams apply patches during scheduled maintenance windows that involve controlled reboots. FIRESTARTER exploits the reboot as the persistence mechanism. The very action meant to close the window is the action that restores the implant, which means no patch SLA tightening can address the dwell problem without adding device-level cold-start audit to the same maintenance procedure.

Escalation

FIRESTARTER represents an escalation from volatile-memory persistence (ArcaneDoor 2024) to boot-sequence persistence that survives every standard remediation action. The unnamed federal agency's six-month post-patch dwell signals operational maturity in the implant: UAT-4356 is confident of staying undetected long enough to amortise the capability across multiple intelligence objectives.

What could happen next?

Consequence
Cisco perimeter device owners must add cold-start power-cycle audit to all maintenance windows, converting patch compliance into a multi-step physical eviction procedure.
Immediate · 0.9
Risk
Any organisation whose Cisco ASA or Firepower device was online during the September 2025 patch window and was not cold-audited faces an unresolved dwell risk regardless of current patch state.
Short term · 0.85
Precedent
FIRESTARTER sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains and actor infrastructure even where the vendor (Cisco) declines formal nation-state attribution.
Medium term · 0.8
Consequence
Immutable-boot and hardware-rooted attestation product categories (TPM-anchored device integrity) gain procurement urgency at organisations with high-threat perimeter requirements.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2015 and 2017, NSA's TAO unit (later exposed via the Shadow Brokers leak) deployed BANANAGLEE and JETPLOW persistent implants against Cisco ASA appliances, hooking the persistent storage in ways that also survived firmware updates.

The operational shape is structurally identical: a government actor, a Cisco perimeter platform, persistence below the patch layer, activation via crafted packets. BANANAGLEE was disclosed via the Shadow Brokers dump in 2017, not via a joint CISA-NCSC advisory, and no remediation guidance was issued for six years.

Counter-parallel: Russia's 2019 VPNFilter campaign across Linksys, Netgear, and MikroTik SOHO routers also achieved boot-sequence persistence. However, FBI and DOJ obtained a court order within days to redirect the command-and-control domain, effectively neutralising the network before eviction, an option that does not exist for an implant activated via a local magic-packet rather than a centralised C2 beacon.

Consensus view: Cisco Talos and NCSC assess that FIRESTARTER represents a structural escalation beyond previous Cisco edge-device campaigns: where ArcaneDoor relied on volatile memory resident code that a standard reboot could clear, FIRESTARTER hooks the pre-OS boot sequence so that every clean-shutdown cycle becomes a reinstallation opportunity.

Recorded Future's Insikt Group notes that the magic-packet activation primitive is specifically designed to evade network telemetry, leaving no continuous outbound beacon for threat-feed correlation to catch.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) points out that boot-sequence persistence of this class has been known for industrial control systems since at least the 2015 UEFI-implant disclosures, and argues that Cisco's decision to deploy WebVPN authentication paths accessible from the public internet is the structural precondition. GReAT's prescribed remedy is perimeter segmentation and WebVPN access restriction, not device-eviction tooling.

Key tension: Whether FIRESTARTER's deployment is a targeted capability reserved for high-value perimeter devices or the leading indicator of a supply-chain-level compromise of the Cisco firmware signing chain.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

Signal, WhatsApp hit by three states

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 31 Mar 2026

Read story →

EU CRA guidance; German NIS2 missed

FIRESTARTER advisory applies directly to UK operators covered by the UK Cyber Security and Resilience Bill baseline established in ID:2556.

Occurred 3 Mar 2026

Read story →

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 16 Apr 2026

Read story →

UNC6780 takes Cisco AI Defense source code

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 11 May 2026

Read story →

UAT-8616 keeps Cisco SD-WAN under fire

UAT-8616's exploitation of CVE-2026-20182 continues the sustained campaign against Cisco edge devices documented with FIRESTARTER on 24 April, sharing ORB infrastructure.

Occurred 14 May 2026

Read story →

This Event

FIRESTARTER implant survives every Cisco firewall patch

Patching no longer establishes that a Cisco perimeter device is clean, which moves the CISO posture from indicator removal to physical eviction.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.