What does Firestarter malware do?

Firestarter is a backdoor malware designed to maintain persistent access to Cisco Firepower and Secure Firewall devices even after security patches and firmware updates have been applied. It allows attackers to remotely access compromised systems and execute custom shellcode.

Is my Cisco device affected by Firestarter?

CISA and NCSC have identified specific Cisco Firepower and Secure Firewall devices running ASA or FTD software as being targeted. They recommend administrators check for indicators of compromise, such as running the command `show kernel process | include lina_cs`.

Can I remove Firestarter malware if my device is infected?

Cisco strongly recommends reimaging and upgrading the affected device to a fixed release. A cold restart may remove the malware temporarily, but it carries a risk of data corruption and is not a recommended long-term solution.

🕳️ Vulnerabilities & CVEs

Firestarter Malware: Cisco Patches Fail [Deep Dive]

Cisco users, take note: a persistent new malware, dubbed Firestarter, is making a mockery of your security updates. This isn't just another bug; it's a sophisticated backdoor designed to survive patching, leaving even the most diligent administrators exposed.

Threat Digest Apr 25, 2026 5 min read

Schematic illustration of a network firewall with a glowing red padlock icon, symbolizing a security breach.

⚡ Key Takeaways

Firestarter malware evades Cisco firewall updates, achieving persistence across patches. 𝕏
The threat actor, UAT-4356, uses Firestarter for long-term cyberespionage. 𝕏
Initial access is gained through vulnerabilities like CVE-2025-20333 and CVE-2025-20362, followed by Line Viper for credential theft. 𝕏
Firestarter hooks into core Cisco processes and manipulates boot files to ensure reinstallation and execution. 𝕏
Cisco recommends reimaging devices, but temporary cold restarts may remove the malware with risks. 𝕏

Written by

Maya Thompson

Threat intelligence reporter. Tracks CVEs, ransomware groups, and major breach investigations.

#APT #CISA #cisco #cisco firepower #cisco firewall #cyberespionage #firestarter #firestarter malware #malware #ncsc #persistence #persistent malware #zero-day

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Bleeping Computer

⚡ Key Takeaways

The 60-Second TL;DR

Maya Thompson

Share this article

Worth sharing?

Related Stories

FIRESTARTER Malware Survives Cisco Patches [Analysis]

Early 'fast16' Malware Foreshadowed Stuxnet's Sabotage

[Alert] 100+ Malicious Chrome Extensions Steal Accounts

Fortinet's FortiClient Zero-Day Lets Hackers Slip Past Logins—Patch or Perish

Stay in the loop