FIRESTARTER backdoor used for persistence on Cisco boxes in "widespread campaign

A state-backed threat group has developed a custom backdoor for Cisco network security devices that survives reboots and firmware upgrades.

That’s according to US and British cybersecurity authorities at CISA and the NCSC – they said initial intrusions began with CVE-2025-20333 and CVE-2025-20362 but persisted even after customers patched devices. 

At least one federal agency was breached. The agencies described it as a “widespread campaign” without disclosing the number of victims.

• The CISA and NCSC advisory.
• The Cisco Talos advisory.

 Many victims may have been hacked but oblivious to it since September 2025. That’s when exploitation of the CVEs was detected, but not the sophisticated persistent backdoor, which the two dubbed FIRESTARTER.

[FIRESTARTER manipulates] the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER. The mount list allows programs and commands to be executed as part of the device’s boot sequence. The persistence mechanism triggers during graceful reboot (i.e., when a process termination signal is received). FIRESTARTER also checks the runlevel for value 6 (indicating device reboot) and in case of a match, writes itself to backup location “/opt/cisco/platform/logs/var/log/svc_samcore.log" and updates the CSP_MOUNT_LIST to copy itself back to “/usr/bin/lina_cs” and then be executed. When FIRESTARTER runs after a reboot, it restores the original CSP_MOUNT_LIST and removes the trojanized copy. Because the runlevel triggers establishment of this transient persistence mechanism, a hard reboot (for example, after the device has been unplugged from power) effectively removes the implant from the device. – Talos 

The only real way to spot the malware is memory analysis. Organisations can get a disk image by opening a Cisco Technical Assistance Center (TAC) case. 

The malware works “for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed successful implant of the malware in the wild on a Cisco Firepower device runningASA software” the two said. 

“Software versions after 9.17.1.40, 9.18.4.41, 9.19.1.32, and 9.20+ are not vulnerable to the [initial vulnerabilities exploited] however, if a device previously ran a software version that predates these releases, it may still be compromised, even if it has since been updated,” the two said in a September supplementary directive, updated this week to reflect new data.

The advanced persistent threat (APT), tracked by Cisco Talos as UAT-4356, has not been linked to a specific country by either agency, nor Cisco Talos in its threat guide  – suggesting highly advanced tradecraft by the group.

Censys earlier linked with China (making the claim in the wake of an earlier 2024 campaign that also targeted Cisco devices using zero days and bespoke malware, but said that it was “tough to draw definitive conclusions…”)

The Dutch General Intelligence and Security Service (AIVD) and its military counterpart, the MIVD, recently claimed that “China is now likely on equal footing with the United States in terms of offensive cyber capabilities.”

China-linked APTs have a track record of comprising network devices and gaining deep persistence.

A threat group hacked over 20,000 Fortinet devices in 2022-2023, breaching what Dutch intelligence said was “a large number of companies within the defense industry.” In that campaign, they exploited a previously unseen, bespoke malware for Fortinet devices dubbed COATHANGER that also “survives reboots and firmware upgrades.”

CISA and the NCSC on April 23 urged other U.S. and U.K. organizations to use YARA rules they shared to detect FIRESTARTER malware against either a disk image or core dump of a device and report any findings to CISA or the NCSC. 

In a second advisory, featuring a long list of co-authors, the NCSC warned that Chinese threat groups are using sprawling "covert networks" or botnets to launch attacks. These have been seen spanning routers, web cameras and video recorders, firewalls and Network Attached Storage (NAS) devices.

The NCSC urged security leaders to

• Map and understand network edge devices, developing a clear understanding of organisational assets and what should be connecting to them.
• Baseline normal connections, especially to corporate virtual private networks (VPNs) or other similar services.Would you expect connections from consumer broadband ranges?
• Leverage available dynamic threat feeds which include covert network infrastructure.
• Implement multi-factor authentication for remote connections.