New Linux Malware Strikes Cisco Firepower Network Security Appliances
Cisco Firepower Devices Targeted by Linux-Based Backdoor Named FIRESTARTER
The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have issued a joint malware analysis report warning of a previously unknown Linux-based backdoor called FIRESTARTER.
This Malware Has Been Identified as a Preferred Tool Among Advanced Persistent Threat (APT) Actors
This malware has been identified as a preferred tool among Advanced Persistent Threat (APT) actors due to its ability to establish persistent access on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) firmware.
Initial Access Was Gained by Exploiting Two Known Vulnerabilities in Cisco ASA and FTD
Initial access was gained by exploiting two known vulnerabilities in Cisco ASA and FTD, namely CVE-2025-20333 and CVE-2025-20362. These vulnerabilities allowed attackers to deploy the LINE VIPER post-exploitation implant, which enabled them to bypass authentication and establish illegitimate VPN sessions.
“According to the CISA and NCSC report, the FIRESTARTER backdoor was then installed to facilitate remote access and control.”
A Specific Sample of This Malware Was Discovered on a Compromised Device Under the Filename lina_cs
A specific sample of this malware was discovered on a compromised device under the filename lina_cs. This backdoor is a Linux Executable and Linkable File (ELF) designed to operate on Cisco Firepower and Secure Firewall devices, acting as a command and control (C2) channel for remote access and control.
CISA Identified Suspicious Connections on One U.S. Federal Civilian Executive Branch (FCEB) Agency’s Cisco Firepower Device Running ASA Software
CISA identified suspicious connections on one U.S. Federal Civilian Executive Branch (FCEB) agency’s Cisco Firepower device running ASA software. Following validation and notification, CISA conducted a forensic engagement, discovering the FIRESTARTER malware on the device.
The Malware Achieves Persistence by Detecting Termination Signals and Relaunching Itself
Moreover, traditional security fixes are insufficient against FIRESTARTER, as it remains active even after firmware updates. The malware achieves persistence by detecting termination signals and relaunching itself, surviving firmware updates and device reboots unless a hard power cycle occurs.
To Fully Remove the Threat, Agencies Recommend a Hard Power Cycle
To fully remove the threat, the agencies recommend a hard power cycle, which involves physically unplugging the device from all power sources for at least one minute to clear the malware from the volatile memory.
Experts Warn That Edge Infrastructure Should Be Treated as a Long-Term Intelligence Problem, Not Just Patching
Additionally, experts warn that edge infrastructure should be treated as a long-term intelligence problem, not just patching. When attackers compromise internet-facing firewalls, they gain a high-value control point in the network. Persistence mechanisms like FIRESTARTER are particularly concerning because they can survive routine fixes and allow attackers to regain access later.
- Organizations need continuous visibility into perimeter devices and external activity, as internal signs may appear only after the attacker is already established.