Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

FIRESTARTER implant survives every Cisco firewall patch

3 min read
11:00UTC

CISA and NCSC named FIRESTARTER on 24 April: a UAT-4356 implant that hooks the Cisco ASA and Firepower boot sequence and clears only on a hard power cycle.

TechnologyDeveloping
Key takeaway

FIRESTARTER survives every Cisco patch; only a hard power cycle evicts it.

CISA and the UK National Cyber Security Centre (NCSC) co-published joint advisory AA26-113A on Friday 24 April disclosing FIRESTARTER, a backdoor that embeds itself in the boot sequence of Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances and survives every patch and firmware update 1. The implant was deployed by UAT-4356, the same government-backed actor behind 2024's ArcaneDoor campaign on Cisco edge devices. Activation runs through a magic-packet primitive: a crafted WebVPN authentication request carrying a secret prefix wakes shellcode in memory, with no continuous beacon for network telemetry to catch. UAT-4356 chained CVE-2025-20333 at CVSS 9.9 with CVE-2025-20362 for the initial intrusion, both patched in September 2025.

The companion implant Line Viper rides VPN sessions on the same appliances and bypasses authentication policy entirely. NCSC's attribution muscle on this advisory carries the same authority used in earlier GRU and APT advisories, but the technical content here is a tier deeper: indicator hygiene cannot reach a backdoor that re-installs itself before clean shutdown. The advisory tells operators that only a hard power cycle evicts FIRESTARTER, which means a maintenance window, a physical site visit and a planned outage on a production firewall.

For any Chief Information Security Officer (CISO) running Cisco at the perimeter, the September 2025 patch cycle has been retroactively reclassified from a closure event to an opening one. Cisco accepts that UAT-4356 is government-backed but declines formal nation-state attribution, the same hedged language used after ArcaneDoor. The UK Cyber Security and Resilience Bill baseline now sits over any UK trust or operator running this stack, so 'patched on schedule' has been priced out as a regulatory defence at the same moment it has stopped being a technical one.

Deep Analysis

In plain English

Normally, if your computer or network device is hacked and you install a security update, the hack is removed. FIRESTARTER is a hack that specifically survives that process: it hides inside the startup code that runs before any software loads, and every time you reboot the device, even during a security update, it quietly reinstalls itself. The only way to remove it is to pull the power cable completely and let the device start from a total cold state. One US government agency did everything right, applied the patches on schedule, and was still infected six months later.

Deep Analysis
Root Causes

Cisco ASA and Firepower appliances run a trusted-boot architecture where firmware signing keys protect the OS loader but not every component of the pre-boot environment. The two chained CVEs (CVE-2025-20333 at CVSS 9.9 and CVE-2025-20362) provided UAT-4356 with sufficient privilege to write into the boot sequence before the OS enforces signing checks.

Cisco's WebVPN endpoint is exposed by design on production perimeter firewalls, making the magic-packet activation surface available to any network path that can reach the management plane.

A secondary structural cause is the patching model itself: security teams apply patches during scheduled maintenance windows that involve controlled reboots. FIRESTARTER exploits the reboot as the persistence mechanism. The very action meant to close the window is the action that restores the implant, which means no patch SLA tightening can address the dwell problem without adding device-level cold-start audit to the same maintenance procedure.

Escalation

FIRESTARTER represents an escalation from volatile-memory persistence (ArcaneDoor 2024) to boot-sequence persistence that survives every standard remediation action. The unnamed federal agency's six-month post-patch dwell signals operational maturity in the implant: UAT-4356 is confident of staying undetected long enough to amortise the capability across multiple intelligence objectives.

What could happen next?
  • Consequence

    Cisco perimeter device owners must add cold-start power-cycle audit to all maintenance windows, converting patch compliance into a multi-step physical eviction procedure.

    Immediate · 0.9
  • Risk

    Any organisation whose Cisco ASA or Firepower device was online during the September 2025 patch window and was not cold-audited faces an unresolved dwell risk regardless of current patch state.

    Short term · 0.85
  • Precedent

    FIRESTARTER sets a disclosure precedent: CISA and NCSC are prepared to publish joint technical advisories naming specific CVE chains and actor infrastructure even where the vendor (Cisco) declines formal nation-state attribution.

    Medium term · 0.8
  • Consequence

    Immutable-boot and hardware-rooted attestation product categories (TPM-anchored device integrity) gain procurement urgency at organisations with high-threat perimeter requirements.

    Medium term · 0.75
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026
Read original
Causes and effects
This Event
FIRESTARTER implant survives every Cisco firewall patch
Patching no longer establishes that a Cisco perimeter device is clean, which moves the CISO posture from indicator removal to physical eviction.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.