14JUN

FIRESTARTER implant survives every Cisco firewall patch

3 min read

11:51UTC

CISA and NCSC named FIRESTARTER on 24 April: a UAT-4356 implant that hooks the Cisco ASA and Firepower boot sequence and clears only on a hard power cycle.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

FIRESTARTER survives every Cisco patch; only a hard power cycle evicts it.

CISA and the UK National Cyber Security Centre (NCSC) co-published joint advisory AA26-113A on Friday 24 April disclosing FIRESTARTER, a backdoor that embeds itself in the boot sequence of Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances and survives every patch and firmware update ¹. The implant was deployed by UAT-4356, the same government-backed actor behind 2024's ArcaneDoor campaign on Cisco edge devices. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a secret prefix wakes shellcode in memory, with no continuous beacon for network telemetry to catch. UAT-4356 chained CVE-2025-20333 at CVSS 9.9 with CVE-2025-20362 for the initial intrusion, both patched in September 2025.

The companion implant Line Viper rides VPN sessions on the same appliances and bypasses authentication policy entirely. NCSC's attribution muscle on this advisory carries the same authority used in earlier GRU and APT advisories, but the technical content here is a tier deeper: indicator hygiene cannot reach a backdoor that re-installs itself before clean shutdown. The advisory tells operators that only a hard power cycle evicts FIRESTARTER, which means a maintenance window, a physical site visit and a planned outage on a production firewall.

For any Chief Information Security Officer (CISO) running Cisco at the perimeter, the September 2025 patch cycle has been retroactively reclassified from a closure event to an opening one. Cisco accepts that UAT-4356 is government-backed but declines formal nation-state attribution, the same hedged language used after ArcaneDoor. The UK Cyber Security and Resilience Bill baseline now sits over any UK trust or operator running this stack, so 'patched on schedule' has been priced out as a regulatory defence at the same moment it has stopped being a technical one.

Deep Analysis

In plain English

Normally, if your computer or network device is hacked and you install a security update, the hack is removed. FIRESTARTER is a hack that specifically survives that process: it hides inside the startup code that runs before any software loads, and every time you reboot the device, even during a security update, it quietly reinstalls itself. The only way to remove it is to pull the power cable completely and let the device start from a total cold state. One US government agency did everything right, applied the patches on schedule, and was still infected six months later.

Deep Analysis

Root Causes

Cisco ASA and Firepower appliances run a trusted-boot architecture where firmware signing keys protect the OS loader but not every component of the pre-boot environment. The two chained CVEs (CVE-2025-20333 at CVSS 9.9 and CVE-2025-20362) provided UAT-4356 with sufficient privilege to write into the boot sequence before the OS enforces signing checks.

Cisco's WebVPN endpoint is exposed by design on production perimeter firewalls, making the magic-packet activation surface available to any network path that can reach the management plane.

A secondary structural cause is the patching model itself: security teams apply patches during scheduled maintenance windows that involve controlled reboots. FIRESTARTER exploits the reboot as the persistence mechanism. The very action meant to close the window is the action that restores the implant, which means no patch SLA tightening can address the dwell problem without adding device-level cold-start audit to the same maintenance procedure.

Escalation

FIRESTARTER represents an escalation from volatile-memory persistence (ArcaneDoor 2024) to boot-sequence persistence that survives every standard remediation action. The unnamed federal agency's six-month post-patch dwell signals operational maturity in the implant: UAT-4356 is confident of staying undetected long enough to amortise the capability across multiple intelligence objectives.

What could happen next?

Consequence
Cisco perimeter device owners must add cold-start power-cycle audit to all maintenance windows, converting patch compliance into a multi-step physical eviction procedure.
Immediate · 0.9
Risk
Any organisation whose Cisco ASA or Firepower device was online during the September 2025 patch window and was not cold-audited faces an unresolved dwell risk regardless of current patch state.
Short term · 0.85
Precedent
FIRESTARTER sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains and actor infrastructure even where the vendor (Cisco) declines formal nation-state attribution.
Medium term · 0.8
Consequence
Immutable-boot and hardware-rooted attestation product categories (TPM-anchored device integrity) gain procurement urgency at organisations with high-threat perimeter requirements.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2015 and 2017, NSA's TAO unit (later exposed via the Shadow Brokers leak) deployed BANANAGLEE and JETPLOW persistent implants against Cisco ASA appliances, hooking the persistent storage in ways that also survived firmware updates.

The operational shape is structurally identical: a government actor, a Cisco perimeter platform, persistence below the patch layer, activation via crafted packets. BANANAGLEE was disclosed via the Shadow Brokers dump in 2017, not via a joint CISA-NCSC advisory, and no remediation guidance was issued for six years.

Counter-parallel: Russia's 2019 VPNFilter campaign across Linksys, Netgear, and MikroTik SOHO routers also achieved boot-sequence persistence. However, FBI and DOJ obtained a court order within days to redirect the command-and-control domain, effectively neutralising the network before eviction, an option that does not exist for an implant activated via a local magic-packet rather than a centralised C2 beacon.

Consensus view: Cisco Talos and NCSC assess that FIRESTARTER represents a structural escalation beyond previous Cisco edge-device campaigns: where ArcaneDoor relied on volatile memory resident code that a standard reboot could clear, FIRESTARTER hooks the pre-OS boot sequence so that every clean-shutdown cycle becomes a reinstallation opportunity.

Recorded Future's Insikt Group notes that the magic-packet activation primitive is specifically designed to evade network telemetry, leaving no continuous outbound beacon for threat-feed correlation to catch.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) points out that boot-sequence persistence of this class has been known for industrial control systems since at least the 2015 UEFI-implant disclosures, and argues that Cisco's decision to deploy WebVPN authentication paths accessible from the public internet is the structural precondition. GReAT's prescribed remedy is perimeter segmentation and WebVPN access restriction, not device-eviction tooling.

Key tension: Whether FIRESTARTER's deployment is a targeted capability reserved for high-value perimeter devices or the leading indicator of a supply-chain-level compromise of the Cisco firmware signing chain.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

Signal, WhatsApp hit by three states

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 31 Mar 2026

Read story →

EU CRA guidance; German NIS2 missed

FIRESTARTER advisory applies directly to UK operators covered by the UK Cyber Security and Resilience Bill baseline established in ID:2556.

Occurred 3 Mar 2026

Read story →

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 16 Apr 2026

Read story →

UNC6780 takes Cisco AI Defense source code

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 11 May 2026

Read story →

UAT-8616 keeps Cisco SD-WAN under fire

UAT-8616's exploitation of CVE-2026-20182 continues the sustained campaign against Cisco edge devices documented with FIRESTARTER on 24 April, sharing ORB infrastructure.

Occurred 14 May 2026

Read story →

This Event

FIRESTARTER implant survives every Cisco firewall patch

Patching no longer establishes that a Cisco perimeter device is clean, which moves the CISO posture from indicator removal to physical eviction.

Led to

VPN zero-day open a month pre-patch

FIRESTARTER Cisco implant established the pattern of perimeter-device exploitation surviving patch cycles; the Check Point VPN zero-day continues the same arc of ransomware front-door access via network-edge flaws.

Occurred 8 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.